Stuff I'm Up To

Technical Ramblings

Remmina/xfreerdp Certificate Name Mismatch — July 21, 2017

Remmina/xfreerdp Certificate Name Mismatch

When using Remmina to connect to some of our older Windows systems we’re seeing a certificate problem that prevents it from connecting. Remmina pretty much says you can’t connect, but you can see the error message if you run remmina from a terminal and try to connect.

connected to server:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           WARNING: CERTIFICATE NAME MISMATCH!           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (m3app) does not match any of the names given in the certificate:
Common Name (CN): no CN found in certificate
A valid certificate for the wrong name should NOT be trusted!
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure

Continue reading

Squid3 changes for Debian Jessie —
Can’t ping using FQDN —

Can’t ping using FQDN

I’ve run across this a few times now. It seems every time I do a big Linux upgrade I lose the ability to connect to an internal server using its FQDN. I can ping the short name, I can do a DNS resolution of the FQDN, but I just can’t connect to it using RDP and can’t ping it using its FQDN.

This is something to do with the domain name being .local and conflicting with the MDNS service. Not sure exactly what but it’s an easy fix.

All you need do is adjust the order of the name service lookups in the /etc/nsswitch.conf file and make sure dns comes before the mdns entry.

$ sudo vi /etc/nsswtch.conf
...
hosts: files myhostname dns mdns4_minimal [NOTFOUND=return]

Initially I found the dns was last in the list so just move it in front of the mdns4_minimal entry and you’re set.

Fail2ban – Quick Reference — July 20, 2017
SSH – no matching key exchange method —

SSH – no matching key exchange method

Trying to logon to some older network switch management interfaces I came across a failure due to them using older SHA1 key exchanges and key types. Thankfully OpenSSH supports some legacy options to get around this, at least until we get the switches replaced or upgraded.

$ ssh admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Add the option to use DH-G1-SHA1

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching host key type found. Their offer: ssh-dss

So now add the ability to use the host key type ssh-dss:

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss admin@192.168.10.1

Now we’re on!

 

References: https://www.openssh.com/legacy.html

VMware Horizon Client on Debian Stretch — July 17, 2017

VMware Horizon Client on Debian Stretch

In order to install the client on Debian 9 (stretch) I’ve had to get libpng12-0 installed from Jessie here:

https://packages.debian.org/en/jessie/amd64/libpng12-0/download

Then had to create symbolic link for libffi.so.5 to the newer version that’s installed.

$ sudo ln -s /usr/lib/x86_64-linux-gnu/libffi.so.5 /usr/lib/x86_64-linux-gnu/libffi.so.6

 

References: https://communities.vmware.com/thread/545364

Debian 9, SAMBA broke my Shares —

Debian 9, SAMBA broke my Shares

I updated my workstation to Debian 9 (stretch) today and immediately after could no longer connect to any of my Windows fileshares.

Guessing this was probably down to changes we made on the Windows servers that disabled SMB v1 it took a little bit of googling to get things working again.

Edit /etc/samba/smb.conf with admin rights and add the following lines into the [global] section.

client max protocol = SMB3
client ipc max protocol = NT1

Save the file and restart the Samba service.

$ sudo systemctl restart samba

 

References: https://forums.linuxmint.com/viewtopic.php?t=220721

OpenVPN DNS — July 4, 2017

OpenVPN DNS

Using OpenDNS on a Linux system that uses resolv.conf requires that the OpenVPN script is able to update the DNS servers sent by the remote dhcp options. To do this you must amend your OpenVPN config file to include the following lines.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Then when you establish your connection your DNS search domain and servers will be added successfully.

References: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

apt-get – Hash Sum mismatch — June 30, 2017

apt-get – Hash Sum mismatch

I tried to run some updates on my workstation today and it failed with a Hash Sum mismatch.

$ sudo apt-get update

W: Failed to fetch http://www.deb-multimedia.org/dists/jessie/main/i18n/Translation-en Hash Sum mismatch

W: Failed to fetch http://www.deb-multimedia.org/dists/jessie/non-free/i18n/Translation-en Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead.

Continue reading

Bye, bye, Percona — May 25, 2017

Bye, bye, Percona

For quite a few years we’d been running Percona on our Nagios server with no issues. So no reason to change, until sometime over the past few days the repository’s public key expired and automated updates were failing.

I tried to update the key, searching key servers and eventually gave up. I resorted to removing the repo’s from my apt sources.list. Then I just installed the MySQL apt repo and installed MySQL. As it installs it warns you about having a backup as data already exists and may be lost after the install. However, for me it simply removed Percona for me, installed MySQL and was up and running without any issue.

So it maintained all my users, schemas and tables and performed as expected.

Not that there’s anything wrong with Percona, just that I took the easy option of going with what the majority of our install base uses.

 

Owncloud Upgrade and Maintenance Mode — May 22, 2017
Sophos UTM Up2date CLI — April 4, 2017

Sophos UTM Up2date CLI

After buying some replacement UTM430’s to replace the UTM525’s the new 430’s came in with some ancient firmware. As I’ve not got them plugged into the network right now I want to get them up to the same firmware as the current 525’s.

In our case the shipped firmware was 9.311 and the current 525’s was 9.411. There’s quite a few updates between those releases!

Continue reading