Archive for June, 2015

In this article we’ll automatically install virtual machine (CENTOS 7),using “answer” file,in this process,root password will be set,additional user (user1) will be created,and web,mail and FTP packages will be installed

But,first,we need to create storage pool and storage volume for our VM

A storage pool is a  storage for virtual machines.Storage pools are divided into storage volumes

Storage volumes as virtual machine’s hard disk

In terminal,type virsh to enter in virsh prompt

[root@localhost centos]# virsh
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

Let’s create storage pool

virsh # pool-define-as skladishte dir - - - - "/disk/skladishte/"
Pool skladishte defined

Pool named skladishte is created in folder /disk

We now need to build pool:

virsh # pool-build skladishte
Pool skladishte built

List pools:

virsh # pool-list --all
Name State Autostart
-------------------------------------------
default active yes
Desktop active yes
dirpool active yes
disk active yes
Downloads inactive yes
Downloads-1 active yes
KVM active yes
skladishte inactive no
USB inactive yes

start pool

virsh # pool-start skladishte
Pool skladishte started

Set pool to autostart

virsh # pool-autostart skladishte
Pool skladishte marked as autostarted

Now,create a volume for pool

vol-create-as skladishte volume1 12G

For pool skladishte,volume volume1 with 12GB was created

virsh # pool-info skladishte
Name: skladishte
UUID: 04483aca-512e-4d3a-8910-3091632567ef
State: running
Persistent: yes
Autostart: yes
Capacity: 72.71 GiB
Allocation: 56.08 GiB
Available: 16.63 GiB

virsh # vol-list skladishte
Name Path
------------------------------------------------------------------------------
volume1 /disk/skladishte/volume1

Now,install FTP server,create folder where install files and kickstart file will be created and set permissions:

[root@localhost pub]#yum install vsftpd -y

[root@localhost pub]#mkdir /var/ftp/pub/centos

[root@localhost pub]#chmod 755 -R /var/ftp/pub/centos/

Mount previously downloaded iso and copy all files to ftp folder

mkdir /tmp/iso

[root@localhost pub]#mount /home/godon/Downloads/CentOS-7-x86_64-Minimal-1503-01.iso /tmp/iso/
[root@localhost pub]#mount: /dev/loop0 is write-protected, mounting read-only

[root@localhost pub]# cp -R * /tmp/iso/ /var/ftp/pub/centos/

As template for out kickstar file we will use anaconda-ks.cfg located in root directory:

[root@localhost pub]# cp /root/anaconda-ks.cfg /var/ftp/pub/centos/ks.cfg

Edit ks.cfg:

#version=RHEL7
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
graphical
eula --agreed
reboot
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# Root password
rootpw --iscrypted $6$HqS6tEQZKMzZXRqT$T1dmqcISnQQtVR.u/Sh56jKr75bS2JwZe20PddB/Ab1kT3391igLp8AA5VX7vlhbl9WJHtMKyMlrxeHB7ghjK1
# System timezone
timezone Europe/Belgrade --isUtc
# Run the Setup Agent on first boot
firstboot --disable
ignoredisk --only-use=vda
zerombr
clearpart --all --initlabel --drives=vda

# System bootloader configuration
#Partition clearing information
part /boot --fstype="ext4" --ondisk=vda --size=500 --asprimary
part pv.16 --ondisk=vda --grow --size=9739 --asprimary
volgroup vg00 --pesize=4096 pv.16
logvol swap --fstype="swap" --size=500 --name=swap --vgname=vg00
logvol / --fstype="ext4" --size=8230 --name=root --vgname=vg00
logvol /home --fstype="ext4" --size=300 --name=home --vgname=vg00
bootloader --location=mbr --boot-drive=vda

user --groups=wheel --name=admin1 --password=$6$HqS6tEQZKMzZXRqT$T1dmqcISnQQtVR.u/Sh56jKr75bS2JwZe20PddB/Ab1kT3391igLp8AA5VX7vlhbl9WJHtMKyMlrxeHB7ghjK1 --iscrypted --gecos="admin1"

%packages
@core
@base
@FTP Server
@DNS Name Server
@Web Server
kexec-tools
%end

As you can see,we set root password (copied from /etc/shadow),time zone,partioned hard disk,

another admin account (admin1),and defined packages which will be installed

Validate ks.cfg file

[root@localhost pub]# ksvalidator /var/ftp/pub/centos/ks.cfg

Set SELinux context,for SELinux to allow access to ks.cfg file

[root@localhost pub]# tscon -t  public_content_t /var/ftp/pub/centos/ks.cfg

Start vsftpd service,and open firewall ports:

[root@localhost pub]# systemctl start vsftpd
[root@localhost pub]# firewall-cmd --add-service=ftp --permanent
success
[root@localhost pub]# firewall-cmd --reload
success

Test ftp access

Untitled

Now we can install virtual machine:

[root@localhost disk]# virt-install --name=server2.example.com --ram=2048 --vcpus=2 --autostart --os-type=linux --extra-args='ks=ftp://192.168.0.43/pub/centos/ks.cfg ksdevice=ens3 ip=192.168.122.90 netmask=255.255.255.0 gateway=192.168.122.1 dns=8.8.8.8' --disk vol=skladishte/volume1,bus=virtio --location=ftp://192.168.0.43/pub/centos --network bridge=virbr0

Starting install...
Retrieving file vmlinuz... | 9.6 MB 00:00 !!!
Retrieving file initrd.img... | 68 MB 00:00 !!!
Creating domain... | 0 B 00:00

VM named server2.example.com with 2 GB of RAM,2 CPU’s,IP 192.168.122.90 will be installed.

As hard disk,this VM will used previously created volume1 from skladishte pool

I had to specify VM network settings here instead in ks.cfg file to get this working

Untitled

In short,RAID is way of storing the same data in different places  on multiple hard disks

For more info,please visit https://en.wikipedia.org/wiki/RAID.

RAID allows for hardware-failure without losing data, and sometimes performance-increase due to distributed workload.

I chose to write about RAID 6,because it allows 2 hard disk failures.It requires minimum 4 hard disks

In a RAID 6 array with four disks, data blocks will be distributed across the drives, with two disks being used to store each data block, and two being used to store parity blocks.

In case of six disks (2 GB each),8 GB will be available for storage data,2 disks are always dedicated for protection,no matter how much hard disks are included in array

Again,i used KVM virtual machine with 1 system HDD,and additional 4 SATA disks (2 GB each),

which will be used for creating RAID

Untitled

After starting this VM,let’s confirm disks are initialized:

from terminal,type lsblk -d command:

Untitled1

Now,we need to format all hard drives:

gdisk /dev/sda

Assign GPT as the partition table to the disk using the o command,confirm with Y,
now press N to crete partition,because we will use all space available,and default filesystem (ext4) press enter when asked for first and last sector and Hex Code,
press W to write changes,Y to confirm

[root@localhost ja]# gdisk /dev/sda
GPT fdisk (gdisk) version 0.8.6

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries.

Command (? for help): o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-4194270, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-4194270, default = 4194270) or {+-}size{KMGTP}:
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300):
Changed type of partition to 'Linux filesystem'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/sda.
The operation has completed successfully.

Repeat same procedure for remaining disks.

After creating all the partitions check if we did it well:

Untitled4

Creating RAID6 Device

Now,after creating partitions,we can create RAID:

mdadm --create /dev/md6 --level=6 --raid-devices=4 /dev/sd[a-d]1

–create /dev/md6    RAID device namd /dev/md6  will be created

–level=6                  create raid 6

–raid-devices=4       raid consists from 4 disks /dev/sda,/dev/sdb,dev/sdc and /dev/sdd,1 stands for tands for the first partition on each disk

Now,verify raid configuration:

[root@localhost ja]# mdadm -E /dev/sd[a-d]1
/dev/sda1:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : 3235b46a:18b554e3:2e36e760:c898271a
Name : localhost.localdomain:6  (local to host localhost.localdomain)
Creation Time : Tue Jun 17 11:51:49 2015
Raid Level : raid6
Raid Devices : 4

Avail Dev Size : 4190175 (2046.33 MiB 2145.37 MB)
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 4189184 (2045.84 MiB 2144.86 MB)
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1960 sectors, after=991 sectors
State : clean
Device UUID : 8a1e81bf:38e71ac6:5f9d4011:61dcdcdb

Update Time : Tue Jun 17 11:52:09 2015
Bad Block Log : 512 entries available at offset 72 sectors
Checksum : a28d6360 - correct
Events : 17

Layout : left-symmetric
Chunk Size : 512K

Device Role : Active device 0
Array State : AAAA ('A' == active, '.' == missing, 'R' == replacing)
/dev/sdb1:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : 3235b46a:18b554e3:2e36e760:c898271a
Name : localhost.localdomain:6  (local to host localhost.localdomain)
Creation Time : Tue Jun 17 11:51:49 2015
Raid Level : raid6
Raid Devices : 4

Avail Dev Size : 4190175 (2046.33 MiB 2145.37 MB)
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 4189184 (2045.84 MiB 2144.86 MB)
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1960 sectors, after=991 sectors
State : clean
Device UUID : 5a9358c0:5f643012:38b3e264:63c7bc41

Update Time : Tue Jun 17 11:52:09 2015
Bad Block Log : 512 entries available at offset 72 sectors
Checksum : a8fc5632 - correct
Events : 17

Layout : left-symmetric
Chunk Size : 512K

Device Role : Active device 1
Array State : AAAA ('A' == active, '.' == missing, 'R' == replacing)
/dev/sdc1:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : 3235b46a:18b554e3:2e36e760:c898271a
Name : localhost.localdomain:6  (local to host localhost.localdomain)
Creation Time : Tue Jun 17 11:51:49 2015
Raid Level : raid6
Raid Devices : 4

Avail Dev Size : 4190175 (2046.33 MiB 2145.37 MB)
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 4189184 (2045.84 MiB 2144.86 MB)
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1960 sectors, after=991 sectors
State : clean
Device UUID : 285e93ad:942a4cac:75b3284c:9469476a

Update Time : Tue Jun 17 11:52:09 2015
Bad Block Log : 512 entries available at offset 72 sectors
Checksum : 402389a5 - correct
Events : 17

Layout : left-symmetric
Chunk Size : 512K

Device Role : Active device 2
Array State : AAAA ('A' == active, '.' == missing, 'R' == replacing)
/dev/sdd1:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : 3235b46a:18b554e3:2e36e760:c898271a
Name : localhost.localdomain:6  (local to host localhost.localdomain)
Creation Time : Tue Jun 17 11:51:49 2015
Raid Level : raid6
Raid Devices : 4

Avail Dev Size : 4190175 (2046.33 MiB 2145.37 MB)
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 4189184 (2045.84 MiB 2144.86 MB)
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1960 sectors, after=991 sectors
State : clean
Device UUID : 36187a4c:57ffdaba:c2ac043c:28ac5f59

Update Time : Tue Jun 17 11:52:09 2015
Bad Block Log : 512 entries available at offset 72 sectors
Checksum : cc8d5457 - correct
Events : 17

Layout : left-symmetric
Chunk Size : 512K

Device Role : Active device 3
Array State : AAAA ('A' == active, '.' == missing, 'R' == replacing)

[root@localhost ja]# mdadm --detail /dev/md6
/dev/md6:
Version : 1.2
Creation Time : Tue Jun 17 11:51:49 2015
Raid Level : raid6
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 2094592 (2045.84 MiB 2144.86 MB)
Raid Devices : 4
Total Devices : 4
Persistence : Superblock is persistent

Update Time : Tue Jun 17 11:52:09 2015
State : clean
Active Devices : 4
Working Devices : 4
Failed Devices : 0
Spare Devices : 0

Layout : left-symmetric
Chunk Size : 512K

Name : localhost.localdomain:6  (local to host localhost.localdomain)
UUID : 3235b46a:18b554e3:2e36e760:c898271a
Events : 17

Number   Major   Minor   RaidDevice State
0       8        1        0      active sync   /dev/sda1
1       8       17        1      active sync   /dev/sdb1
2       8       33        2      active sync   /dev/sdc1
3       8       49        3      active sync   /dev/sdd1

Format newly created RAID device (/dev/md6):

[root@localhost ja]# mkfs.ext4 /dev/md6
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=128 blocks, Stripe width=256 blocks
262144 inodes, 1047296 blocks
52364 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1073741824
32 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Rechek configuration:

cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md6 : active raid6 sdd1[3] sdc1[2] sdb1[1] sda1[0]
4189184 blocks super 1.2 level 6, 512k chunk, algorithm 2 [4/4]

Now create folder in which RAID device /dev/md6 will be mounted:

mkdir /mnt/myraid6

Edit /etc/fstab file to automount RAID device on startup to /mnt/myraid6 folder,add new line to the end:

/dev/md6                              /mnt/myraid6                  ext4               defaults     0      1

/dev/md6-device to be mounted

/mnt/myraid6-where to mount

ext4  – filesystem

defaults -mount options (use: rw, suid, dev, exec, auto, nouser, and async)

0 – option is a binary value (“0” for false and “1” for true) for “dumping.”  This is a pretty much out-dated method of backup for cases when the system went down.  You should leave this as “0”.

0 – The last option is a numeric value for “passing.”  This tells the system the order in which to fsck to perform a file system check.  If a disk has an option of “0” it will be skipped.The root file system should always be “1” and other file systems can go afterward.This works best for journaling file systems like ext3/4 and ReiserFS.

Check /etc/fstab for errors:

mount -av

Untitled5

As message stated,i need to label mount folder in order to avoid SELinux denial
touch /mnt/myraid6 /.autorelabel
Now create some data and test RAID resilience:

echo $(date +%d-%b-%H_%M)>/mnt/myraid6/date

Now reboot the server,after restart simulate HDD error:

mdadm -f /dev/md6 /dev/sda1

Untitled9

Check configuration:

[root@localhost myraid6]# mdadm --detail /dev/md6
/dev/md6:
Version : 1.2
Creation Time : Wed Jun 17 11:21:20 2015
Raid Level : raid6
Array Size : 4189184 (4.00 GiB 4.29 GB)
Used Dev Size : 2094592 (2045.84 MiB 2144.86 MB)
Raid Devices : 4
Total Devices : 4
Persistence : Superblock is persistent

Update Time : Wed Jun 17 11:55:46 2015
State : clean, degraded
Active Devices : 3
Working Devices : 3
Failed Devices : 1
Spare Devices : 0

Layout : left-symmetric
Chunk Size : 512K

Name : localhost.localdomain:6 (local to host localhost.localdomain)
UUID : 00358bb8:7a4f76f2:09163599:9755b768
Events : 19

Number Major Minor RaidDevice State
0 0 0 0 removed
1 8 17 1 active sync /dev/sdb1
2 8 33 2 active sync /dev/sdc1
3 8 49 3 active sync /dev/sdd1

0 8 1 - faulty /dev/sda1

Disable another HDD

mdadm -f /dev/md6 /dev/sdb1

Untitled11

Check again:
mdadm --detail /dev/md6
Untitled12

Now we have 2 faulty hard disks,but we still can access data mounted on myraid6 folder

Untitled10

We’ll start with inheritance.Sometime (when creating folder for roaming profiles),we need to disable inheritance in order to avoid users to access other user’s folders.
$acl = Get-Item $dir |get-acl
$acl.SetAccessRuleProtection($true,$true)
$acl |Set-Acl

First,we export ACL’s to variable,then in SetAccessRuleProtection($true,$true)

we are actually managing permissions.First parameter enables ($true),or disables ($false) inheritance

,while the second one manages Access control entries (ACE), ($true-keep current ACE’s,$false-remove them and start with new ones)

And third line simply applies our decisons

Setting NTFS permissions

To set NTFS permissions,we first need to install  File System Security PowerShell Module

To see current NTFS permissions type
Get-Item “c:\1” | Get-NTFSAccess

Untitled

To set permissions we need to type:
Add-NTFSAccess -Path C:\1   -Account ‘example\Authenticated Users ‘  -AccessRights’Fullcontrol

For removing permissions

Remove-NTFSAccess -Path “c:\1” -Account “example\domain users” -AccessRights FullControl

Inherited permissions cannot be removed

To remove all NTFS permissions for account

Get-ChildItem -Path c:\1 -Recurse |

Get-NTFSAccess -Account “example\test group” -ExcludeInherited |

Remove-NTFSAccess

Get-ChildItem with -recurse switch procesess files and folders recusively

Setting ACE permissions

Flag combinations can be found on microsoft site:

https://msdn.microsoft.com/en-us/library/ms229747%28v=vs.110%29.aspx

From this table we can combine flags and apply them to folders,subfolders or files,for example,to set ACE’s

to Full control for Folder (folder test has no subfolders):

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, none”

$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]”FullControl”

$acl=get-acl c:\test

$AccessRule=NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule(“test group”,$FileSystemAccessRights,$InheritanceFlags,$PropagationFlags,$AccessControl)
$Acl | set-acl c:\test

Today we will join linux machine (Fedora 21 server) to Windows Domain,configure share folder and configure folder redirection GPO to samba server.

I am using KVM linux host (Fedora server 21), IP Address 192.168.0.43

KVM guest server1.example.com (CENTOS 7, has DHCP and DNS services installed and configured) with IP 192.168.122.200

KVM guest localhost.example.com (Fedora server 2012),will be our samba server with IP192.168.122.10

Now i will install KVM guest Windows Server 2012,dc.example.com    IP adress 192.168.122,100

Installing Windows Domain Controler VM:

virt-install --cdrom /disk/Win_2012_64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso --name "dc" --memory=4096 --file=/disk/dc.qcow2 --file-size=25 --vcpus=4 --os-type=windows

On terminal i typed command above,it will create virtual machine named dc,assign 4 GB of RAM,4 Core processors and

25 GB hard disk,installaton media would be ISO copied in /disk folder

After installation was completed,we can now configure WIndows server 2012:

First rename computer and restart (i used PowerShell commands):

Rename-computer dc -restart

After reboot,set Primary DNS suffix

netdom computername dc /add:dc.example.com
netdom computername dc /makeprimary:dc.example.com

Reboot again,

now we will set IP address,default gateway and primary DNS server (i will point DC to Linux DNS server,DNS role will not be installed on our Windows server)

New-NetIPAddress -interfacealias "ethernet" -ipaddress "192.168.122.100 -prefixlenght 24 -defaultgateway 192.168.122.1

Set-DNSClientServerAddres -interfacealias "ethernet" -ServerAddresses 192.168.122.200

Enable remote desktop connection and open firewall port

set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

On linux KVM host,open port 3389

firewall-cmd --add-port 3389 --permament

firewall-cmd --reload

I want to enable remote desktop connection to VM windows server,so i need to redirect all requests,received on KVM host’s port 3389 to windows server.

Strangely,firewall-cmd –add-forward-port command simply didn’t work,i couldn’t get port forwarding working

I seen on the internet someone also complained for same issue,it looks as a bug.

But IPTables commad works,at least until you,set another rule or restart computer,so do iptables-save>file_name

and after reboot reload rules iptables-reload<file_name

iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.100:3389

iptables -I FORWARD -m state -d 192.168.122.100/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

I can now access Windows domain controller (192.168.122.100),hosted on 192.168.0.43 from my lap-top (192.168.0.41)

Untitled16

Now we  need to allow windows machine to write to example.com zone file on our linux dns server (server1.example.com)

Here i described how to install DNS and allow dynamic updates,i bold changes in /etc/named.conf file:

acl “allowed” {
192.168.122.0/24;
localhost;};

options {
listen-on port 53 { 192.168.122.200;127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { allowed; };
forwarders {8.8.8.8;};

recursion yes;
allow-recursion {allowed;};

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;

};

};
key dhcp_updater {
algorithm hmac-md5;
secret “kfc1r6C2VwHGnKMi/NHt6w==”;
};

zone “.” IN {
type hint;
file “named.ca”;

};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
zone “122.168.192.in-addr.arpa” IN {
type master;
file “/var/named/chroot/etc/named/reverse.example.com.db”;

allow-update {key “dhcp_updater”;192.168.122.100;};
};

zone “example.com” IN {
type master;

file “/var/named/chroot/etc/named/example.com.db”;
allow-update {key “dhcp_updater“;192.168.122.100;};
};

Now Server 2012 can update zone file

Installing ADDS services:

In powershell prompt type:

Install-windowsfeature ad-domain-services -IncludeManagementTools
import-module addsdeployement
Install-ADDSForest -creatednsdelegation:$false -databasepath "c:\windows:\ntds" '
-domainmode "win2012r2" -domainname "example.com" -domainnetbiosname "EXAMPLE" -forestmode "win2012r2" -installdns:$false -logpath "c:\windows\ntds" '
-norebootoncompletion:$false -sysvolpath "c:\windows\sysvol" -force:$true

Untitled

During installation,dc writes lots of records in zone file,as you can see from /var/log/messages:

Untitled2

After our DC was restarted,check example.com zone file (example.com.db)

$ORIGIN .
$TTL 10800    ; 3 hours

example.com        IN SOA    server1.example.com. root.example.com. (

2015052644 ; serial

86400      ; refresh (1 day)
3600       ; retry (1 hour)

604800     ; expire (1 week)

10800      ; minimum (3 hours)
)

NS    server1.example.com.
$TTL 600    ;
10 minutes A    192.168.122.100
$TTL 10800    ; 3 hours
MX    10 server1.example.com.

$ORIGIN _msdcs.example.com.
$TTL 600    ; 10 minutes

5d11ccae-11e0-47ca-a9b0-998885292876 CNAME dc.example.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.example.com.
_kerberos SRV    0 100 88 dc.example.com.
_ldap SRV    0 100 389
dc.example.com.
$ORIGIN _tcp.dc._msdcs.example.com.
_kerberos SRV    0 100 88
dc.example.com.
_ldap SRV 0 100 389
dc.example.com.
$ORIGIN _msdcs.example.com.
_ldap._tcp.18bb2267-243e-4394-821e-5406e4c7e256.domains SRV 0 100 389 dc.example.com.
$ORIGIN gc._msdcs.example.com.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 dc.example.com.
_ldap._tcp SRV    0 100 3268 dc.example.com.
$ORIGIN
_msdcs.example.com.
_ldap._tcp.pdc SRV0 100 389 dc.example.com.
$ORIGIN
_tcp.Default-First-Site-Name._sites.example.com.
_gc SRV    0 100 3268
dc.example.com.
_kerberos SRV    0 100 88 dc.example.com.
_ldap SRV 0 100 389
dc.example.com.
$ORIGIN _tcp.example.com.
_gc SRV    0 100 3268
dc.example.com.
_kerberos SRV 100 88
dc.example.com.
_kpasswd    SRV 0 100 464 dc.example.com.
_ldap SRV    0 100 389 dc.example.com.
$ORIGIN _udp.example.com.
_kerberos        SRV    0 100 88 dc.example.com.
_kpasswd        SRV    0 100 464 dc.example.com.
$ORIGIN example.com.
$TTL 1200    ; 20 minutes
dc            A    192.168.122.100
$TTL 300    ; 5 minutes
localhost        A    192.168.122.10
TXT    “31b3e25f324398b385f0fa3ce3a53b3ccb”
$TTL 10800    ; 3 hours
server1            A    192.168.122.200

AS you can see,although we are using Bind DNS,Windows Active Directory works great.

Check SRV record:

Untitled3

Joining to example.com domain

Now,go to localhost.example.com and join it to example.com domain

yum install samba* oddjob* ntp* sssd -y

synhronize time with DC
systemctl enable ntpd.service
ntpdate dc.example.com
systemctl start ntpd.service

systemctl enable oddjobd
systemctl start oddjobd
systmectl enable winbin
systemctl start winbind
systemctl start sssd

edit /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false
ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = EXAMPLE.COM
dns_lookup_kdc = true

[realms]

EXAMPLE.COM = {
}

EXAMPLE.COM = {
kdc = dc.example.com
kdc = dc.example.com
kdc = dc.example.com
kdc = dc.example.com
}

[domain_realm]

example.com = EXAMPLE.COM

edit  /etc/samba/smb.conf

[global]
#–authconfig–start-line–

# Generated by authconfig on 2015/06/10 17:25:07
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in future

workgroup = EXAMPLE
password server = DC.EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false

#–authconfig–end-line–

# ———————– Network-Related Options ————————-
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the “interfaces =” option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1

#
; workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

interfaces = lo ens3 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.122. 192.168.13.
i
; max protocol = SMB2

restart smb,winbind and oddjob services:

systemctl restart smb
systemctl restart oddjobd
systemctl restart winbind
open firwall ports:
firewall-cmd --add-port --service=samba --permanent
firewall-cmd --reload

join to the domain:

realm join –user=adminitrator@EXAMPLE.COM EXAMPLE.COM

You can avoid all this editing by simply typing
authconfig-gtk
and populating fields:
Untitled13

click join domain,enter domain admin username.password and click apply
You shouldn’t have any problems,if yes,check /var/log/messages and /var/log/samba/log.winbind-

type realm list

Untitled14

If You get this screen everything is fine

Switch now to Domain Controllers,OU,create user and group

new-adorganizationalunit “test”

new-adgroup -name “test group” -groupscope “Global” -Groupcategory “Security” -path “ou=test,dc=example,dc=com”

new-aduser -name “tex willer” -userpincipalname “tex.willer@example.com” -accountpassword (convertto-secure string “Passw0rd01” -asplaintxt -force) -changepasswordatlogon $false -path “ou=test,dc=example,dc=com” -enabled $true

add-adgroupmember -identity “test goup” -members “tex willer”

get-aduser ‘tex willer’ | select-object | fl

Untitled8

Now switch to samba server and type

wbinfo -u   # this command list AD users

wbinfo -g   #list AD groups

Untitled15

we can see now user tex willer and group “test group”

Let’s create shared folder now:

mkdir -p /srv/samba/Profiles/
chmod -R 770 /srv/samba/Profiles
chgrp "Domain Users" /srv/samba/Profiles

On the bottom on /etc/samba.smb.conf file add

[Profiles]
 path = /srv/samba/Profiles/
 read only = no
 store dos attributes = Yes   #prevent showing hidden files and folders
 browseable = yes
 writable = yes
 public = yes
 

Edit /etc/pam.d/system-auth (your uid may vary,general rule is to type uid bigger than your domain user usedid

to find out id,log user to linux terminal (su “tex willer”), then type id (see uid value)

Util i set this,Samba has been rejecting my windows username/password

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 36777216 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
In order for SELinux to allow write to share folder we must type
chcon -t samba_share_t /srv/samba/Profiles

edit /etc/nsswitch.conf file to configure systemt for looking at winbind if user cannot be found in

/etc/passwd file:

passwd: files winbind
shadow: files winbind
group: files winbind
Restart again smb,winbind,sssd and oddjobd services and try to access share from Windows Server 2012,you should see Profiles folder

Untitled

Now and try to make folder/file.

Give Domain Users full control right to Profile folder (This folder only) and  List Folder/Read Data and Create Folders/Append Data (this folder only)
Domain Admins  security group should have Full Control of This Folder, Subfolders, and Files

Create GPO for folder redirection
User Configuration -> Policies -> Windows Settings -> Folder Redirection

Untitled10

Apply policy,log in as user,write create file/folder in Documents folder

Untitled11

And check Profiles folder:

Untitled12t

Great !!,on samba share, tex willer folder is automatically created and all in Document folder is redirected.

You have to retrive data from database,results consist from two column,during october results are populated in columns A and B,and during november results must be retrived in colums C and D,and in december E and F respectively.Here is how to accomplish that:

First,be sure that macros are enabled (File-Options-Trust Center-Trust Center Settings-Macro Settings-Enable All macros

Insert new module and paste this code

(I am using Oracle OO40 driver to connect to the database,but your method may vary)

Sub auto_open()

Open “C:\Local Data\autowater\pass.txt” For Input As #1
Input #1, shorttext
Close #1
mystring = shorttext
Open “C:\Local Data\autowater\pass1.txt” For Input As #2
Input #2, shorttext
Close #2
mystring1 = shorttext

Dim objSession As Object
Dim objDataBase As Object

Dim v As Variant
Dim pom As String
If (Month(Date)) = 10 Then

v = v + 1
pom = “A:B”

End If

If (Month(Date)) = 11 And Day(Date) = 1 Then

v = v + 1
pom = “A:B”

ElseIf (Month(Date)) = 11 And Day(Date) <> 1 Then

v = v + 3
pom = “C:D”

End If

If (Month(Date)) = 12 And Day(Date) = 1 Then

v = v + 3
pom = “C:D”

ElseIf (Month(Date)) = 12 And Day(Date) <> 1 Then

v = v + 5
pom = “E:F”

End If

Set objSession = CreateObject(“OracleInProcServer.XOraSession”)

Set objDataBase = objSession.OpenDatabase(mystring, mystring1, 0&)

Dim sql As String

Sheets(“sheet2″).Select
Range(pom).Select
Selection.ClearContents

Application.ScreenUpdating = False

Application.Calculation = xlCalculationManual

sql = sql & ” your SQL here”

Set oraDynaSet = objDataBase.DBCreateDynaset(sql, 0&)

If oraDynaSet.RecordCount > 0 Then
oraDynaSet.MoveFirst
For x = 0 To oraDynaSet.Fields.Count – 1
Cells(1, x + v) = oraDynaSet.Fields(x).Name

Next

For y = 0 To oraDynaSet.RecordCount – 1
For x = 0 To oraDynaSet.Fields.Count – 1
Cells(y + 2, x + v) = oraDynaSet.Fields(x).Value
Next
oraDynaSet.MoveNext
Next
End If
Application.Calculation = xlCalculationAutomatic
Set objSession = Nothing
Set objDataBase = Nothing
End Sub

Thanks to a  colleague of mine who has found solution on internet,I was finally able to make a connection to the shared printer.None of other solutions  didn’t work

The workaround of the printer issue where printers are not displaying under devices and printers and while adding them by the host name comes with error maessage “windows cannot connect to the printer error 0x00000057)”.Here are the steps to follow:

It’s actually the print driver failing to install, not the connection to the print server. An initial attempt to install the driver failed, so the driver directory is present on the workstation, but missing the files.

1) First on a machine with the same driver installed (and working properly), open Regedit, and browse to:
HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x64\Drivers\Version-3\
2) Locate the subkey for the printer driver we are dealing with i.e. HP Universal Printer Driver v6’ and click the key for the printer driver.
3) Look for the “InfPath” on the right. Note the path.
5) Now browse to C:\Windows\System32\DriverStore\FileRepository and locate the folder indicated in the InfPath reg value.
6) Go to the user’s computer exhibiting this behavior, and browse to C:\Windows\System32\DriverStore\FileRepository and see if the folder is present. If folder is present, but empty, you will have to modify security on the folder, first taking over the ownership, then granting yourself full control.
7) Once security is granted, copy the contents of this folder from a working machine to the effected machine and if complete folder is missing, copy the entire folder.

8) Restart the machine

We have a block of code which needs to be executed only on weekdays,how to accomplish that.First,create a file with vbs extension and paste a following code in it:

dtmToday = Date()

dtmDayOfWeek = DatePart(“w”, dtmToday)

Select Case dtmDayOfWeek

Case 1

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Sunday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
Case 2

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Monday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
Case 3

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Tuesday”)
objFileToWrite.Close
Set objFileToWrite = Nothing

Case 4

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Wednesday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
Case 5

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Thursday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
Case 6

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Friday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
Case 7

Set objFileToWrite = CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\@IT\Batch\day.txt”,2,true)
objFileToWrite.WriteLine(“Saturday”)
objFileToWrite.Close
Set objFileToWrite = Nothing
End Select

name file check.vbs,save and close the file.

This code create a file called C:\@IT\Batch\day.txt in which everu day of the week is written.We will use thata in this file later on.

Now open a batch file with block code which needs to be executed every day

Our batch code is in file called everyday.bat (it this file is code which runs everyday,plus block which needs to be run only on weekdays).

Let’s say our block code is called weekday (runs only by weekdays)

rem code which is executed every day

//some code

Find “Satyrday” “C:\@IT\Batch\day.txt”>”C:\@IT\Batch\vidi day.txt” || Find “Sunday” “C:\@IT\Batch\day.txt”>”C:\@IT\Batch\desired day.txt”

if %ERRORLEVEL% NEQ 0 (
goto :end
) else (
goto:weekday
)

:weekday

some code which runs on weekday

:end

exit

Find command searchs for string saturday or sunday (||) in file day.txt and writes results in file desired day.txt.If it find the match then code in :weekend is run,othervise,batch exits.

Now we need to create batch file which first calls check.vbs and then executes everyday.bat

create a new file with bat.extension and write:

start check.vbs

start everyday.bat

name this file whatever You like and include it in task scheduler.