Stuff I'm Up To

Technical Ramblings

OwnCloud, php7.0-fpm and Memcache — September 19, 2017

OwnCloud, php7.0-fpm and Memcache

When checking out the setup for our OwnCloud system it came up with a few cautionary problems that needed to be resolved.

The problems related to environment variables and file locking.

php does not seem to be setup properly to query system environment variables. The test with getenv(“PATH”) only returns an empty response. Please check the installation documentation ↗ for php configuration notes and the php configuration of your server, especially when using php-fpm.

and

Transactional file locking is using the database as locking backend, for best performance it’s advised to configure a memcache for locking. See the documentation ↗ for more information.

Continue reading

Advertisements
VMWare Restart Guest from Command Line — August 16, 2017

VMWare Restart Guest from Command Line

We don’t have to do this so often. So when we do I always forget the syntax.

Login as root on the host of the guest OS. Find the numeric VMID of the guest and issue a power off/on command.

# vim-cmd vmsvc/getallvms | grep -i "[GUESTNAME]"
Vmid                   Name                                                             File                                                   Guest OS          Version                                                                                                      Annotation                                                                                                   
114    PaymentsTest                            [Datastore-1] PaymentsTest/PaymentsTest.vmx                                               windows8Server64Guest   vmx-10

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered on

# vim-cmd vmsvc/power.off 114
Powering off VM:

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered off

# vim-cmd vmsvc/power.on 114
Powering on VM:

 

References: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1038043

VCSA 6.0 U3b to 6.5 U1 — August 10, 2017

VCSA 6.0 U3b to 6.5 U1

So far this upgrade seems to frustrating straight out of the box! We already run a VCSA (vCenter Server Appliance) and the process should be to automatically deploy a new VCSA and migrate the data from the old to the new and then power down the old. All from the Windows GUI installer.

But it fails to deploy with an unknown error.

If you save and view the installer log it becomes abundantly clear what the failure is. The installer is trying to issue a ‘date’ command at the current VCSA’s command line, and fails because it’s expecting a BASH shell and instead it is getting the default vCenter shell where the BASH shell is disabled.

2017-08-10T07:56:13.446Z - info: VM Identifier for Source VC: 78
2017-08-10T07:56:13.570Z - debug: initiateFileTransferFromGuest error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get fileTransferInfo:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get url of file in guest vm:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Error in getting fileData for nodeType. Error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Failed to read the nodetype, Error: A general system error occurred: Unknown error
2017-08-10T07:56:13.574Z - info: Checking if password expired
2017-08-10T07:56:14.994Z - info: Banner from server, 
VMware vCenter Server Appliance 6.0.0.30200

Type: vCenter Server with an embedded Platform Services Controller


2017-08-10T07:56:14.995Z - info: Connection ready
2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:55:37 UTC 2017 from pc8501.domain.local on pts/0

2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:56:15 2017 from pc8766.domain.local

2017-08-10T07:56:15.010Z - info: STDOUT: date
exit

2017-08-10T07:56:15.246Z - info: STDOUT: Connected to service

2017-08-10T07:56:15.255Z - info: STDOUT: [?1034h
    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Enable BASH access: "shell.set --enabled True"
    * Launch BASH: "shell"


2017-08-10T07:56:15.255Z - info: STDOUT: Command> d
2017-08-10T07:56:15.256Z - info: STDOUT: ate

2017-08-10T07:56:15.270Z - info: STDOUT: Unknown command: `date'
Command> exit

2017-08-10T07:56:15.305Z - info: Stream :: close
2017-08-10T07:56:15.306Z - info: Password not expired
2017-08-10T07:56:15.308Z - error: sourcePrecheck: error in getting source Info: ServerFaultCode: A general system error occurred: Unknown error

In order to address the issue you need to change the default shell for the root user. It’s very easy to do, but will also require a password change.

Logon to the current VCSA using ssh as the root user. Enable the BASH shell and start the shell using:

shell.set --enabled True
shell

Now change the root users default shell using

# chsh -s /bin/bash root

Now the installer should at least proceed through that part to deploy the image to the specified server.

References: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2100508

SMB mount error(112): Host is down — August 3, 2017

SMB mount error(112): Host is down

Whilst trying to mount a Windows (cifs) volume onto my Linux workstation I encountered the following error:

$ sudo mount -t cifs -o user=mylogon //myserver/myshare /mnt/mountpoint 
Password for mylogon@//myserver/myshare: ***********
mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

As ever with Windows I suspected the SMBv1 disabled problem and wasn’t disappointed to discover this was precisely the issue.

Continue reading

OpenSSL and Subject Alternative Names — July 27, 2017

OpenSSL and Subject Alternative Names

Now that Google chrome has started bitching about certificates not having Subject Alternative Names because the practice of using Common Names in certificates has changed.

So in order to get the SAN into a CSR you need to edit the OpenSSL config file you’re using for the request. You can spend time scripting something, but for the few times I do it I’ll just copy the base openssl.cnf file to one specific to the CSR I need to create. After all you’ll already have customised the req_distinguished_name section so you don’t have to put in the country and company name all the time. eg.

$ cp /etc/ssl/openssl.cnf ~/myserver.cnf

Then I just use that new cnf file as part of the command line to create the CSR.

$ openssl req -out myserver.csr -new -newkey rsa:2048 -nodes -keyout myserver.key -config ~/myserver.cnf

Continue reading

Squid Kerberos Nightmare — July 25, 2017

Squid Kerberos Nightmare

What a terrible sequence of events we suffered today. Took quite a bit of head scratching, log reading and plenty of Google fu to resolve.

We use Squid with an LDAP and authenticated lookup to establish if a user is a member of an AD group to allow them through the proxy. For some very strange reason the authentication and lookup began failing today.

Continue reading

Owncloud 10.0 Upgrade — July 24, 2017
Remmina/xfreerdp Certificate Name Mismatch — July 21, 2017

Remmina/xfreerdp Certificate Name Mismatch

When using Remmina to connect to some of our older Windows systems we’re seeing a certificate problem that prevents it from connecting. Remmina pretty much says you can’t connect, but you can see the error message if you run remmina from a terminal and try to connect.

connected to server:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           WARNING: CERTIFICATE NAME MISMATCH!           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (m3app) does not match any of the names given in the certificate:
Common Name (CN): no CN found in certificate
A valid certificate for the wrong name should NOT be trusted!
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure

Continue reading

Squid3 changes for Debian Jessie —
Can’t ping using FQDN —

Can’t ping using FQDN

I’ve run across this a few times now. It seems every time I do a big Linux upgrade I lose the ability to connect to an internal server using its FQDN. I can ping the short name, I can do a DNS resolution of the FQDN, but I just can’t connect to it using RDP and can’t ping it using its FQDN.

This is something to do with the domain name being .local and conflicting with the MDNS service. Not sure exactly what but it’s an easy fix.

All you need do is adjust the order of the name service lookups in the /etc/nsswitch.conf file and make sure dns comes before the mdns entry.

$ sudo vi /etc/nsswtch.conf
...
hosts: files myhostname dns mdns4_minimal [NOTFOUND=return]

Initially I found the dns was last in the list so just move it in front of the mdns4_minimal entry and you’re set.

Fail2ban – Quick Reference — July 20, 2017
SSH – no matching key exchange method —

SSH – no matching key exchange method

Trying to logon to some older network switch management interfaces I came across a failure due to them using older SHA1 key exchanges and key types. Thankfully OpenSSH supports some legacy options to get around this, at least until we get the switches replaced or upgraded.

$ ssh admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Add the option to use DH-G1-SHA1

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching host key type found. Their offer: ssh-dss

So now add the ability to use the host key type ssh-dss:

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss admin@192.168.10.1

Now we’re on!

 

References: https://www.openssh.com/legacy.html