Header Shadow Image


Find Which Device Is Connected to a Cisco Switch Port

Issue the following:

mdscisco07#sh mac address-table interface gigabitEthernet 1/19
Unicast Entries
vlan mac address type protocols port
——-+—————+——–+———————+——————–
5 abcd.1234.wxyz dynamic ip,ipx GigabitEthernet1/19

HTH

Configuring an Ubuntu Workstation with XRDP, SSHD, VNC, FreeIPA, SSSD, Java, NetBeans

Building an Ubuntu Workstation for development and general use, one that can be accessed remotely with central authentication.  Most of the commands below will be ran as the root user, hence

# sudo su –

to root will be needed.  Let’s get going:

ALIAS SETUP

Personally, the following alias just makes it a tad easier to get around:

$ grep -Ei altri ~/.bashrc
alias lt=’ls -altri’
$

Some of the other commands that can come in handy is the bash search CTRL + r, allowing history searches and recalling previous commands.

NETWORK IP

# nmcli con add type ethernet con-name ens160 ifname ens160 ipv4.addresses 192.168.0.30/24 ipv4.gateway 192.168.0.1 ipv4.dns “192.168.0.46 192.168.0.51 192.168.0.224” ipv4.method manual ipv4.dns-search “mds.xyz nix.mds.xyz mws.mds.xyz” 

# nmcli con up ens160 

Associate the interface name that exists on your machine to the profile named ens160.

# (optional) nmcli con modify ens160 connection.interface-name INTERFACE-NAME             # Interface name determined by running ip a command.

# nmcli con show

Create a /etc/resolv.conf with the following contents:

$ cat /etc/resolv.conf
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
domain nix.mds.xyz
search mds.xyz nix.mds.xyz mds.xyz

Or use the GUI.  Test by pinging google.com or another site.  Disable the other usual systemd network services:

# systemctl stop systemd-resolved
# systemctl stop resolveconf

 

SSHD

Install the SSHD server using:

apt install openssh-server

Test using PuTTy.

XRDP

Install XRDP using:

# apt install xrdp

Check that the service is running and port is open:

root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei xrdp
tcp6 0 0 :::3389 :::* LISTEN 64884/xrdp
tcp6 0 0 ::1:3350 :::* LISTEN 64874/xrdp-sesman
root@fr-ubuntu-01:~#

Test using Windows Remote Desktop Connection:

SOFTWARE CENTER

Install the software center.  It may be missing:

# apt install synaptic
# apt install gnome-software

Check that the icons now exist in the Ubuntu start menu.

TIGER VNC

Install packages:

# apt list|grep -Ei tigervnc

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

tigervnc-common/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-scraping-server/jammy 1.12.0+dfsg-4 amd64
tigervnc-standalone-server/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-tools/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-viewer/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-xorg-extension/jammy,now 1.12.0+dfsg-4 amd64 [installed]

One line command to install the above is:

# apt install tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-tools tigervnc-viewer tigervnc-xorg-extension

Setup VNC for a number of users.  This file is global and hence, owned by root:

# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa

:1=root
:2=vncuser

Create the configs such as these for each users:

root@fr-ubuntu-01:~/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
depth=24
root@fr-ubuntu-01:~/.vnc#

Set the ~/.vnc/xstartup as follows:

#!/bin/bash -x

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset DBUS_SESSION_BUS_ADDRESS

unset SESSION_MANAGER
exec /usr/bin/gnome-session

Start TigerVNC as root first to test that a VNC server on port 5901 starts up:

# /usr/bin/tigervncserver –depth 32 –geometry 1680×1050 –localhost no :1 2>&1

Check with:

root@fr-ubuntu-01:~/.vnc# netstat -pnltu|grep -Ei 590
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 8021/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 8021/Xtigervnc
root@fr-ubuntu-01:~/.vnc#

This will work but won’t allow root direct login via VNC.  Next, configure multiple instances to start on bootup, one for a non-privileged user.  To do so, the following line can be used to start sessions for each user:

/usr/sbin/tigervncsession “root” “:1”
/usr/sbin/tigervncsession “vncuser” “:2”

The above in turn is called from the TigerVNC startup scripts here in green (blue lines are extra added to stopping a server):

root@fr-ubuntu-01:~/.vnc# grep -Eiv “#” /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target

[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
ExecStop=/usr/bin/tigervncserver –kill :%i

PIDFile=/run/tigervncsession-:%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target
root@fr-ubuntu-01:~/.vnc#

The systemd startup script calls yet another, this time, a bash script.  The below copy is highly modified for the purpose of this article:

# cat -n /usr/libexec/tigervncsession-start
1 #!/bin/bash
2 #
3 # Copyright 2019 Pierre Ossman for Cendio AB
4 #
5 # This is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
9 #
10 # This software is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this software; if not, write to the Free Software
17 # Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307,
18 # USA.
19 #
20
21 USERSFILE=”/etc/tigervnc/vncserver.users”
22 echo “Using configuration file $USERSFILE … ”
23
24 if [[ $# -ne 1 ]]; then
25   echo “Syntax:” >&2
26   echo ” $0 <display>” >&2
27   echo “Example:”
28   echo ” $0 \”:1\”” >&2
29   exit 1
30 fi
31
32 if [[ ! -f “${USERSFILE}” ]]; then
33   echo “Users file ${USERSFILE} is missing. Exiting!” >&2
34   exit 1
35 fi
36
37 DISPLAY=”$1″
38
39 # Check if that server is already running.
40 for VNCENTRY in $(/usr/bin/tigervncserver –list|awk ‘{ if ( $1 ~ /[0-9]+/ ) print $1 }’); do
41   echo “Checking if $VNCENTRY is already running …”;
42     if [[ $VNCENTRY -eq $DISPLAY ]]; then
43       echo “ERROR: Server $VNCENTRY is already running. If intent is to restart, issue a stop and start on that server:”;
44       echo ” systemctl stop tigervncserver@1″;
45       echo ” systemctl start tigervncserver@1″;
46       echo “OR issue the following”;
47       echo ” /usr/bin/tigervncserver –kill :$DISPLAY”;
48       exit 1;
49     fi
50 done
51
52 USER=$(grep “^[ ]*:${DISPLAY}=” “${USERSFILE}” 2>/dev/null | head -1 | cut -d = -f 2- | sed ‘s/ *$//g’)
53
54 echo “User for display $DISPLAY identified as \”$USER\” from file $USERSFILE …”;
55 echo “Users defined in config file are:”
56 echo “———————————”
57 grep -Eiv “#” $USERSFILE;
58 echo “———————————”
59
60 if [[ -z “${USER}” ]]; then
61   echo “No user configured for display ${DISPLAY}” >&2
62   exit 1
63 else
64   echo “Starting VNC Server as user ${USER} … ”
65 fi
66
67 # exec “/usr/sbin/tigervncsession” “${USER}” “:${DISPLAY}”
68 /usr/sbin/tigervncsession “${USER}” “:${DISPLAY}”;
69 echo “Return code from running /usr/sbin/tigervncsession is: $?”;
70
71 echo “Checking if PID file has been created.”
72 vnccount=0;
73 while [[ true ]]; do
74   vnccount=$((vnccount + 1))
75   if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then
76     echo “PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid …”;
77     echo “Successfully started the TigerVNC Server on display port $DISPLAY. “;
78     break;
79   else
80     echo “PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting …”;
81     sleep 1;
82   fi
83
84   if [[ $vnccount -gt 10 ]]; then
85     echo “ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid …”;
86     echo “ERROR: This indicares issues in startup. Exiting!”;
87     exit 1;
88   fi
89 done

At this point, looks like everything has a decent chance of working when started up.  Before plowing ahead, check and kill any previous VNC sessions that might still be hanging around started manually.  Need to do this to prevent errors particularly with port conflicts.

root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –list

TigerVNC server sessions:

X DISPLAY # RFB PORT # RFB UNIX PATH PROCESS ID # SERVER
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –kill :*
tigervncserver: No VNC server running for this user!
root@fr-ubuntu-01:~/.vnc#

Let’s try and start up the service via systemd:

systemctl enable tigervncserver@1
systemctl enable tigervncserver@2

And start them:

systemctl start tigervncserver@1
systemctl start tigervncserver@2

check the status:

systemctl status tigervncserver@1
systemctl status tigervncserver@2

check ports:

root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei 590
tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 72393/Xtigervnc
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 51235/Xtigervnc
tcp6 0 0 ::1:5902 :::* LISTEN 72393/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 51235/Xtigervnc
root@fr-ubuntu-01:~#

And connect using a VNC Viewer application installed on your Windows 10/11 or installed on a Linux Desktop.  A few options exist including RealVNC and TightVNC:

RealVNC Viewer

PROBLEMS and FIXES

When encountering the following:

Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed to determine user credentials: No such process
Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed at step USER spawning /usr/libexec/tigervncsession-start: No such process

Fix the above by adding a user to the service:

# cat /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target

[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
PIDFile=/run/tigervncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target

If getting this error:

Jan 20 20:16:49 fr-ubuntu-01 tigervncsession-start[40631]: No user configured for display 1

Fix by adding a user to this file:

# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa

:1=root
:2=vncuser

Next issue:

# tail -f /var/log/syslog /var/log/auth.log
Jan 21 10:09:04 fr-ubuntu-01 gdm-password]: pam_succeed_if(gdm-password:auth): requirement “user != root” not met by user “root”

Means that the system is not configured to allow direct root login.  This is a security feature, worth having.  There are ways to enable this but it’s not recommended.  Best to configure access to a non-privileged user.  Hence, let’s configure for that above.

Another issue that can be seen is:

Jan 21 13:03:24 fr-ubuntu-01 systemd[1]: tigervncserver@1.service: Can’t open PID file /run/tigervncsession-1.pid (yet?) after start: Operation not permitted

this required a small update to the startup script:

/usr/libexec/tigervncsession-start

by adding in the following lines and removing the exec:

52 # exec "/usr/sbin/tigervncsession" "${USER}" ":${DISPLAY}"
53 /usr/sbin/tigervncsession "${USER}" ":${DISPLAY}"
54 echo "Return code from running /usr/sbin/tigervncsession is: $?"
55 echo "Checking if PID file has been created."
56 vnccount=0
57 while [[ true ]]; do
58     vnccount=$((vnccount + 1))
59     if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then
60         echo "PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid ...";
61         echo "Successfully started the TigerVNC Server on display port $DISPLAY. ";
62     else
63         echo "PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting ...";
64         sleep 1;
65     fi
66
67     if [[ $vnccount -gt 10 ]]; then
68         echo "ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid ...";
69         echo "ERROR: This indicares issues in startup. Exiting!";
70         exit 1;
71     fi
72 done

and modify the startup script as follows since the services append a ‘:’ to the file name:

# vi /lib/systemd/system/tigervncserver@.service
PIDFile=/run/tigervncsession-:%i.pid

then retry to start / restart the service.

Connectivity issue such as this:

# telnet fr-ubuntu-01.nix.mds.xyz 5902
Connecting To fr-ubuntu-01.nix.mds.xyz…Could not open connection to the host, on port 5902: Connect failed

is not due to the F/W, however, it’s good to check:

root@fr-ubuntu-01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~# ufw status
Status: inactive
root@fr-ubuntu-01:~#

but it has a lot to do with missing startup files in the USER/.vnc/ folder, such as these, with the correct permissions:

root@fr-ubuntu-01:/home/francesco/.vnc# lt
total 40
500 -rw——- 1 francesco francesco 8 Jan 14 23:57 passwd
1462 -rwx—— 1 francesco francesco 121 Jan 21 00:31 xstartup
1464 -rw——- 1 francesco francesco 177 Jan 21 12:20 config
34 drwxr-x— 15 francesco francesco 23 Jan 21 16:24 ..
1814 -rw-rw-r– 1 francesco francesco 6 Jan 21 16:24 fr-ubuntu-01.nix.mds.xyz:5902.pid
16 -rw-r–r– 1 francesco francesco 205 Jan 21 16:24 fr-ubuntu-01:2.log
504 -rw-rw-r– 1 francesco francesco 6083 Jan 21 16:27 fr-ubuntu-01.nix.mds.xyz:5902.log
496 drwxrwxr-x 2 francesco francesco 8 Jan 21 16:41 .
root@fr-ubuntu-01:/home/francesco/.vnc# cat xstartup
#!/bin/bash -x

PATH=/usr/bin:/usr/sbin
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /usr/bin/gnome-session
root@fr-ubuntu-01:/home/francesco/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
root@fr-ubuntu-01:/home/francesco/.vnc#

Whenever files are modified, restart the service.

SSSD / AD AUTHENTICATION

Install the SSSD Daemon to connect with central authentication, to, amongst other things, use a central user and

# apt install sssd-ad-common sssd-ad sssd-common sssd-dbus sssd-ipa sssd-kcm sssd-krb5-common sssd-krb5 sssd-ldap sssd-proxy sssd-tools sssd freeipa-client oddjob-mkhomedir libpam-sss libnss-sss sssd sssd-tools sssd-ldap ldap-utils openssl ca-certificates sssd-ad realmd adcli -y

# apt install libnfsidmap1 libnfsidmap-regex libnfsidmap-dev libnfs13 libnfs-utils libnfs-dev autofs nfs-common

# ipa-client-install –uninstall; ipa-client-install –force-join -p autojoin -w “<PASS>” –fixed-primary –server=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U

# ipa-client-automount –location=UserHomeDir01 -U

Configure the /etc/nsswitch.conf file for automount:

root@fr-ubuntu-01:/var/log# grep -Ei automount /etc/nsswitch.conf
automount: files sss
root@fr-ubuntu-01:/var/log#

Before using the service, a few tweaks are likely needed.  Update /etc/sssd/sssd.conf to add the lines in green:

root@fr-ubuntu-01:/var/log# cat /etc/sssd/sssd.conf
[domain/nix.mds.xyz]

id_provider = ipa
ipa_server = idmipa01.nix.mds.xyz, idmipa02.nix.mds.xyz
ipa_domain = nix.mds.xyz
ipa_hostname = fr-ubuntu-01.nix.mds.xyz
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
ipa_automount_location = UserHomeDir01

dyndns_update = True
dyndns_update_ptr = True
ldap_schema = ad
ldap_id_mapping = True

sudo_provider = ipa
ldap_uri = ldap://idmipa01.nix.mds.xyz, ldap://idmipa02.nix.mds.xyz
ldap_sudo_search_base = ou=sudoers,dc=nix,dc=mds,dc=xyz

override_homedir = /n/%d/%u
# fallback_homedir = /n/%d/%u
# ldap_user_home_directory = unixHomeDirectory

[sssd]
services = nss, pam, ssh, sudo, autofs

domains = nix.mds.xyz
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]

root@fr-ubuntu-01:/var/log#

Adjust the /etc/krb5.conf file by adding in these additional entries:

root@fr-ubuntu-01:/var/log# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.MDS.XYZ
  dns_lookup_realm = false
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  NIX.MDS.XYZ = {
    kdc = idmipa01.nix.mds.xyz:88
    master_kdc = idmipa01.nix.mds.xyz:88
    admin_server = idmipa01.nix.mds.xyz:749
    kpasswd_server = idmipa01.nix.mds.xyz:464
    kdc = idmipa02.nix.mds.xyz:88
    master_kdc = idmipa02.nix.mds.xyz:88
    admin_server = idmipa02.nix.mds.xyz:749
    kpasswd_server = idmipa02.nix.mds.xyz:464
    default_domain = nix.mds.xyz
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }

  MDS.XYZ = {
    kdc = ad.mds.xyz
    default_domain = mds.xyz
  }

[domain_realm]
  .nix.mds.xyz = NIX.MDS.XYZ
  nix.mds.xyz = NIX.MDS.XYZ
  fr-ubuntu-01.nix.mds.xyz = NIX.MDS.XYZ
  .mds.xyz = MDS.XYZ
  mds.xyz = MDS.XYZ

root@fr-ubuntu-01:/var/log#

Check the remote AD user and the NFS mount:

root@fr-ubuntu-01:/n/mds.xyz# id remoteuser@mds.xyz
uid=155612345(remoteuser@mds.xyz) gid=155612345(remoteuser@mds.xyz) ………………………………..
root@fr-ubuntu-01:/n/mds.xyz#

Adjust the VNC configuration to allow extra AD / Kerberos / LDAP users access:

root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# ls -altri xstartup config passwd
12410600697251477469 -rwx—— 1 remoteuser@mds.xyz remoteuser@mds.xyz 121 Jan 21 00:31 xstartup
9668247031218421920 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 177 Jan 21 12:20 config
12896900723358409448 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 8 Jan 21 18:41 passwd
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#

Adjust the VNC servers allowed for the users:

root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# grep -Eiv “#” /etc/tigervnc/vncserver.users
:1=root
:2=vncuser
:3=vncuser@mds.xyz
:4=remoteuser@mds.xyz
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#

JDK JAVA DEVELOPMENT KIT

Run the following to install openjdk:

root@fr-ubuntu-01:~# apt install openjdk-21-jdk
root@fr-ubuntu-01:~# java –version
openjdk 21.0.1 2023-10-17
OpenJDK Runtime Environment (build 21.0.1+12-Ubuntu-222.04)
OpenJDK 64-Bit Server VM (build 21.0.1+12-Ubuntu-222.04, mixed mode, sharing)
root@fr-ubuntu-01:~#

NETBEANS

Installing through the software center, bring in a version that’s dated and may have issues on newer OS versions like Ubuntu 22.04.  Therefore, install directly from the latest package version from the following site:

https://netbeans.apache.org/front/main/download/nb20/

Install using the following steps:

# cd /tmp
# wget https://dlcdn.apache.org/netbeans/netbeans-installers/20/apache-netbeans_20-1_all.deb

# apt install ./apache-netbeans_20-1_all.deb

Start NetBeans via the UI.

CONCLUSION

Confirm all services are working by logging into your Ubuntu Server with the remote user, via VNC and start NetBeans:

Ubuntu Desktop Configuration Verification

Enjoy!

Cheers,

HAproxy Configuration to AD Active Directory Servers

Quick configuration to proxy AD requests through another server. Set the following on the proxy server. Note the frontend server is on port 443 whereas the backend server is on port 389:

# vi /etc/haproxy18/haproxy.cfg
global
    log         127.0.0.1 local0 debug
    stats       socket /var/run/haproxy.sock mode 0600 level admin
    # stats     socket /var/lib/haproxy/stats
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    debug

defaults
    mode                    tcp
    log                     global
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend ldap-ad-front
    log                         127.0.0.1       local0          debug
    bind                        terra01:443
    mode                        tcp
    option                      tcplog
    default_backend             ldap-ad-back


backend ldap-ad-back
    log        /dev/log local0 debug
    mode       tcp
    balance    roundrobin
    default-server inter 3s rise 2
    server     mds.xyz mds.xyz:389 maxconn 1024 check

    option                tcpka
    timeout server        20s
    timeout connect       10s

    # Below, ldap check procedure :
    option tcp-check
    tcp-check connect port 389
    tcp-check send-binary 300c0201                                      # LDAP bind request "" simple
    tcp-check send-binary 01                                            # message ID
    tcp-check send-binary 6007                                          # protocol Op
    tcp-check send-binary 0201                                          # bind request
    tcp-check send-binary 03                                            # LDAP v3
    tcp-check send-binary 04008000                                      # name, simple authentication
    tcp-check expect binary 0a0100                                      # bind response + result code: success
    tcp-check send-binary 30050201034200                                # unbind request

listen stats
    bind *:9000
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy-stats
    stats auth admin:s0meP@ssw0rd

Firewall zone file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="22"/>
<port protocol="udp" port="22"/>
<port protocol="udp" port="443"/>
<port protocol="tcp" port="443"/>
<port protocol="udp" port="636"/>
<port protocol="tcp" port="636"/>
<port protocol="udp" port="3269"/>
<port protocol="tcp" port="3269"/>
<port protocol="udp" port="3268"/>
<port protocol="tcp" port="3268"/>
<port protocol="udp" port="389"/>
<port protocol="tcp" port="389"/>
<port protocol="udp" port="9000"/>
<port protocol="tcp" port="9000"/>
<port protocol="udp" port="137"/>
<port protocol="udp" port="138"/>
<port protocol="udp" port="2049"/>
</zone>

Test with the following from another host:

ldapsearch -W -b "DC=MDS,DC=XYZ" -h 10.0.0.100:443 -S sAMAccountName -D resu@mds.xyz '(&(objectClass=user)(sAMAccountName=*resu*))'

Command reference:

yum install haproxy18.x86_64
yum install openldap-clients
systemctl restart haproxy18
systemctl status haproxy18 -l
vi /etc/haproxy18/haproxy.cfg
vi /etc/firewalld/zones/public.xml
setsebool -P haproxy_connect_any=1
netstat -pnltu|grep -Ei haproxy

Cheers,

klist: Improper format of Kerberos configuration file while initializing krb5

There were extra spaces or space with a different font, in front of “” that got copied over from an editor.  Once replaced, everything worked fine:

root@g73sw01:/etc# klist -kte
klist: Improper format of Kerberos configuration file while initializing krb5
root@g73sw01:/etc# vi /etc/krb5.conf
root@g73sw01:/etc# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
—- ——————- ——————————————————
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (aes256-cts-hmac-sha1-96)
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (aes128-cts-hmac-sha1-96)
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (aes256-cts-hmac-sha384-192)
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (aes128-cts-hmac-sha256-128)
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (DEPRECATED:des3-cbc-sha1)
6 11/19/2023 22:34:44 host/g73sw01.nix.mds.xyz@NIX.MDS.XYZ (DEPRECATED:arcfour-hmac)
root@g73sw01:/etc# cat /etc/krb5.conf
.
.
.
.mds.xyz = MDS.XYZ
mds.xyz = MDS.XYZ
root@g73sw01:/etc#

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’

When joining a new client to the FreeIPA servers:

# ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U

the following  message is visible:

Connection to https://idmipa01.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007)
Connection to https://idmipa02.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa02.nix.mds.xyz’. (_ssl.c:1007)

On the surface this message doesn’t make much sense.  The certificate definitely matches the hostname:

openssl s_client -connect idmipa01.nix.mds.xyz:443

save certificate to a file by copying it out from the output of above command, then issue:


# openssl x509 -in freeipa.pem -text -noout </dev/null
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 43 (0x2b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = NIX.MDS.XYZ, CN = Certificate Authority
        Validity
            Not Before: Sep 26 05:16:38 2022 GMT
            Not After : Sep 26 05:16:38 2024 GMT
        Subject: O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz

However, on closer inspection, there is no SAN entry:


            X509v3 Subject Alternative Name:
                othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Do add a SAN entry, issue the following on each IPA server, including the replicas you may have to add in a SAN certificate entry:

idmipa01: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa01: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

idmipa02: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa02: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

Verify again with openssl commands, from the client that the returned FreeIPA certificates now have a SAN entry:


idmipa01:
            X509v3 Subject Alternative Name:
                DNS:idmipa01.nix.mds.xyz, othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

idmipa02:
            X509v3 Subject Alternative Name:
                DNS:idmipa02.nix.mds.xyz, othername: UPN::HTTP/idmipa02.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Hope this helps!

Cheers,

Ping resolves internal DNS entries with external IP’s. Nslookup works fine.

Ping resolves internal DNS entries with external IP’s:

C:\Windows\system32>ping atlas-c01

Pinging atlas-c01.nix.mds.xyz [3.64.163.50] with 32 bytes of data:
Control-C
^C
C:\Windows\system32>ping atlas-c01

Pinging atlas-c01.nix.mds.xyz [3.64.163.50] with 32 bytes of data:
Control-C
^C
C:\Windows\system32>

Nslookup works great:

C:\Windows\system32>nslookup atlas-c01.nix.mds.xyz
Server: dns.mds.xyz
Address: 192.168.0.224

Non-authoritative answer:
Name: atlas-c01.nix.mds.xyz
Address: 10.0.0.77

C:\Windows\system32>

Even from a locally installed Ubuntu server, resolution returns external IP addresses:

root@g73sw01:~# ping atlas-c01
PING atlas-c01.mds.xyz (3.64.163.50) 56(84) bytes of data.
From _gateway (192.168.0.1) icmp_seq=1 Redirect Network(New nexthop: _gateway (192.168.0.6))

The Linux box is surprising since normally, it should get the IP and DNS from the netplan:


root@g73sw01:~# cat /etc/netplan/01-network-manager-all.yaml
# Let NetworkManager manage all devices on this system
network:
 version: 2
 renderer: NetworkManager
 ethernets:
  enp5s0:
   dhcp4: no
   addresses: [192.168.0.15/24]
   gateway4: 192.168.0.1
   nameservers:
    addresses: [192.168.0.224,192.168.0.46,192.168.0.51]
root@g73sw01:~#
Still, /etc/resolv.conf has the localhost IP as the nameserver, regardless what netplan has:
root@g73sw01:~# grep -v "#" /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search mds.xyz
root@g73sw01:~#

And there is a DNS server running on the Ubuntu new install:


root@g73sw01:~# netstat -pnltu|grep -Ei 53
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1750/systemd-resolv
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1801/avahi-daemon:
udp        0      0 127.0.0.53:53           0.0.0.0:*                           1750/systemd-resolv
udp6       0      0 :::5353                 :::*                                1801/avahi-daemon:
root@g73sw01:~#

Turns out that the local DNS resolver service is running on Ubuntu resolving local domain’s with external IP’s.  Turning this off:

root@g73sw01:~# systemctl status systemd-resolved
? systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sun 2023-11-19 18:30:48 EST; 2s ago
Docs: man:systemd-resolved.service(8)
man:org.freedesktop.resolve1(5)
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
Process: 1750 ExecStart=/lib/systemd/systemd-resolved (code=exited, status=0/SUCCESS)
Main PID: 1750 (code=exited, status=0/SUCCESS)
Status: "Shutting down..."
CPU: 8.759s

Nov 19 17:23:24 g73sw01.nix.mds.xyz systemd-resolved[1750]: Grace period over, resuming full feature set (UDP>
Nov 19 17:24:05 g73sw01.nix.mds.xyz systemd-resolved[1750]: Using degraded feature set TCP instead of UDP for>
Nov 19 17:27:25 g73sw01.nix.mds.xyz systemd-resolved[1750]: Using degraded feature set UDP instead of TCP for>
Nov 19 17:33:04 g73sw01.nix.mds.xyz systemd-resolved[1750]: Using degraded feature set UDP instead of UDP+EDN>
Nov 19 17:38:19 g73sw01.nix.mds.xyz systemd-resolved[1750]: Using degraded feature set TCP instead of UDP for>
Nov 19 18:03:09 g73sw01.nix.mds.xyz systemd-resolved[1750]: Using degraded feature set TCP instead of UDP for>
Nov 19 18:30:48 g73sw01.nix.mds.xyz systemd[1]: Stopping Network Name Resolution...
Nov 19 18:30:48 g73sw01.nix.mds.xyz systemd[1]: systemd-resolved.service: Deactivated successfully.
Nov 19 18:30:48 g73sw01.nix.mds.xyz systemd[1]: Stopped Network Name Resolution.
Nov 19 18:30:48 g73sw01.nix.mds.xyz systemd[1]: systemd-resolved.service: Consumed 8.759s CPU time.
root@g73sw01:~#

resolves the issue:

C:\Windows\system32>ping atlas-c01.nix.mds.xyz
Pinging atlas-c01.nix.mds.xyz [10.0.0.77] with 32 bytes of data:
Control-C
^C
C:\Windows\system32>ping atlas-c01.nix.mds.xyz

digging in further to find out how this is configured.  In this case we want to disable the resolution entirely, so the Ubuntu server doesn’t act as a DNS for the rest of the network:


root@g73sw01:~# grep -v "#" /etc/systemd/resolved.conf

[Resolve]
root@g73sw01:~# 

root@g73sw01:~# systemctl disable systemd-resolved
Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service.
Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service.
root@g73sw01:~# systemctl disable systemd-resolved
root@g73sw01:~#

root@g73sw01:~# grep -v "#" /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search mds.xyz
root@g73sw01:~#

On Ubuntu, /etc/resolv.conf is managed by the above mentioned service, so we need to install another to edit the resolv.conf entries:

/etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

apt install resolvconf

systemctl status resolvconf

Next edit the following file:

/etc/resolvconf/resolv.conf.d/head

And add the name servers for your network.  For example:

root@g73sw01:~# grep -v "#" /etc/resolvconf/resolv.conf.d/head
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
root@g73sw01:~#

In this case we want to only enable the following service:

systemctl restart resolvconf

and do not wish to have our Ubuntu server resolve for the rest of the network.  So the following service will remain disabled:

systemctl disabled systemd-resolved

However, in other environments, as needed, the service can now be reenabled.  But that was not the case here it appears.  Had to enable both services:

root@g73sw01:~# vi /etc/resolv.conf
root@g73sw01:~# vi /etc/resolvconf/resolv.conf.d/head
root@g73sw01:~#
root@g73sw01:~#
root@g73sw01:~#
root@g73sw01:~# systemctl restart systemd-resolved resolvconf
root@g73sw01:~# grep -v "#" /etc/resolvconf/resolv.conf.d/head
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
domain nix.mds.xyz
search mds.xyz nix.mds.xyz mws.mds.xyz
root@g73sw01:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
nameserver 127.0.0.53
search nix.mds.xyz mds.xyz mws.mds.xyz
root@g73sw01:~#

Yet this didn’t work either.  Finally, disabling the Ubuntu service altogether resolved it:

root@g73sw01:~# grep -v "#" /etc/resolv.conf
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
search nix.mds.xyz mds.xyz mws.mds.xyz
root@g73sw01:~# systemctl disable systemd-resolved resolvconf
Synchronizing state of resolvconf.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable resolvconf
root@g73sw01:~#

Summary

What did work, is removing the resolvconf package and simply updating the DNS entries with nmcli (NetworkManager) commands like this:

# nmcli con add type ethernet con-name ens160 ifname ens160 ipv4.addresses 192.168.0.30/24 ipv4.gateway 192.168.0.1 ipv4.dns “192.168.0.46 192.168.0.51 192.168.0.224” ipv4.method manual ipv4.dns-search “mds.xyz nix.mds.xyz mws.mds.xyz” 

Followed by:

nmcli c s ens160
nmcli c u ens160
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
unlink /etc/resolv.conf

The summary of the above commands, namely the following that did not work:

apt install resolvconf
systemctl enable resolvconf
systemctl start resolvconf

Disable the previous service:

systemctl stop systemd-resolved
systemctl disable systemd-resolved

Add DNS entries to:

/etc/resolvconf/resolv.conf.d/head

Regenerate the entries using:

sudo resolvconf -u

Problem Solved!

Cheers,

Set Static IP on Ubuntu Server

Via the CLI:

root@tom-G73Sw:~# cd /etc/netplan/
root@tom-G73Sw:/etc/netplan# cat 01-network-manager-all.yaml
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: no
addresses: [192.168.0.15/24]
gateway4: 192.168.0.1
nameservers:
addresses: [192.168.0.224,192.168.0.46,192.168.0.51]
root@tom-G73Sw:/etc/netplan#

Then issue:

netplan try

so changes take effect.  Via UI, go to Activities then Settings, select Network or WiFi, based on which interface you wish to set the IP on.  Typically leaving the WiFi as DHCP might make some sense for redundancy.  Your choice:

Ubuntu Static IP Configuration via GUI

Ubuntu Static IP Configuration via GUI

Cheers,

BitDefender Parental Control

BitDefender updates resulted in this message being printed:

“we could not verify the certificate: reason = wrongHost”

“we could not verify the certificate: reason = untrusted”

And on further inspection, it is revealed the BitDefender is indeed the culprit via it’s Parental Controls:

we could not verify the certificate: reason = wrongHost

To fix this, I uninstalled BitDefender Parental Control in Windows, as it didn’t have any apparent configuration to refine the blockage of the internal DNS site.  Reinstalled just BitDefender Total Security to address the problem, all the while trying not to install BitDefender Parental Control.  Hope this helps!

Cheers,
Tk

VMware: Add user and group access to only a single ESXi host

Follow the following steps to add specific user and group access to a single ESXi host:

  1. Configure a single group, be it AD (remote) or Local.
  2. Add user to the above group.
  3. Login to the VCSA (vSphere Client).
  4. Select the ESXi host.
  5.  Click on the Permissions tab.
  6. Click on the + icon.  You will be in the Add Permission | host01.domain.abc popup.
  7. Select the domain.
  8. Select the group.  Start typing so the filter can locate your group.
  9. Select the role to apply.  ( Roles can be defined by the Administrator )
  10. Propagate to all children, if you wish to do so.
  11. Test!

HTH,

VMWare: Enable Management network: Error – Setting ip/ipv6 configuration failed

Getting a rather cryptic ESXi error message when trying to set a new IPv4 IP:

Enable Management Network: Error

Setting ip/ipv6 configuration failed:

For example, when trying to set 10.3.0.12, this is what is seen:

https://i0.wp.com/www.microdevsys.com/WordPressImages/ESXi-Enable-Management-Network-Error.PNG?ssl=1

It doesn't really, really say what the real reason behind the error is.  Taking a dive into the network configuration of the ESXi host, reveals the reason why:

[root@mdsesxi-p04:~] esxcli network ip interface ipv4 get
Name  IPv4 Address  IPv4 Netmask   IPv4 Broadcast  Address Type  Gateway   DHCP DNS
—-  ————  ————-  ————–  ————  ——–  ——–
vmk0  10.3.0.11     255.255.255.0  10.3.0.255      STATIC        10.3.0.1     false
vmk1  10.3.0.12     255.255.255.0  10.3.0.255      STATIC        10.3.0.1     false
vmk2  10.0.0.11     255.255.255.0  10.0.0.255      STATIC        0.0.0.0      false
[root@mdsesxi-p04:~]

In the UI there's no indication that that IP 10.3.0.12 is already taken by a vmkernel interface vmk1.  Instead, setting it to 10.3.0.13, which is free:

[root@mdsesxi-p04:~] esxcli network ip interface ipv4 get
Name  IPv4 Address  IPv4 Netmask   IPv4 Broadcast  Address Type  Gateway   DHCP DNS
—-  ————  ————-  ————–  ————  ——–  ——–
vmk0  10.3.0.13     255.255.255.0  10.3.0.255      STATIC        10.3.0.1     false
vmk1  10.3.0.12     255.255.255.0  10.3.0.255      STATIC        10.3.0.1     false
vmk2  10.0.0.11     255.255.255.0  10.0.0.255      STATIC        0.0.0.0      false
[root@mdsesxi-p04:~]

Works perfectly well!  With the new IP, the host can now be added to vSphere Client / Server. (VCSA). Additional sample handy ESXi commands:

esxcli network nic list
esxcli network ip netstack list
esxcli network vswitch standard portgroup list
esxcli network nic list
esxcli network vswitch standard list
esxcli network ip dns search list
esxcli network ip interface ipv4 get
esxcli network vswitch standard portgroup list
esxcli network ip interface list
esxcli network ip interface ipv4 get

See the full command list here:

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference

HTH,


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License