Skip to content

BlueBear Kodiak

Recently, I was perusing the web in search of a good vSphere client replacement or solution for Linux or Mac OS X. I had come across many articles praising Kodiak, yet could not find myself an invite key anywhere. Kodiak uses Adobe AIR  to create a cross-platform comparable version of the VMware vSphere client. It seemed as though everyone had stopped talking about it as of late.

Not giving up, I emailed the head of BlueBear LLC, Matt Miller, in search of these elusive invites. Being the generous guy that he is, he gave me a bunch of invites to pass around to all who wish to have it.

## Update ##

It seems as though beta keys are no longer needed to access their application. Check it out here

Posted in Linux, VMware.

3 comments

By john December 28, 2009

Accessing User Profile Folders in Windows 2008 Server When Access is Denied

When you create a new user in Active Directory, Windows does not, by default grant permissions to the Administrators or Domain Admins group. This can make it difficult for administrators to determine the size of a user’s profile and also to debug any profile problems that may arise. To avoid this problem, create a GPO that grants privileges to the Administrators group when new profiles are created.

Open "Group Poloicy Management Console" in Administrative Tools
Create and link a GPO titled "User Profile Permissions for Administrators"
Open computer config>Admin Templates>System>User Profiles
Set the "Add administrators security group to roaming user profiles" to enabled

This will take effect on all accounts created after the GPO is in place. But what about existing accounts? This GPO will have no effect on them. The traditional solution has been to take ownership of the profile through advanced security settings. This has the unfortunate side effect of making the profile temporarily unreadable by the user. In addition, the administrator also has to correctly reset permissions and ownership on the profile when maintenance operations are completed.

Wouldn’t it be great if there was a way to grant administrators access to the profile without these nasty side effects? Thanks to Microsoft’s Sysinternals tools, there is.

First, download psexec. Next, use psexec to open a command prompt as the SYSTEM account. This is important, because by default, only the SYSTEM account and associated user account have access to the profile.

psexec.exe -i -s cmd.exe

The -i flag tells psexec to run the command interactively and the -s tells it to run as the SYSTEM user. In the newly popped command window,  cd to one level above the folder you wish to add permissions to. The command to modify permissions in Windows 2008 is Icacls. If your profiles are stored in D:\profiles, you would run the command like this:

d:\
cd \Profiles
Icacls * /grant "DOMAIN\Administrators":(oi)(ci)(f)

Viola, Administrators now have access to the profile folders while retaining all other permissions and ownership. As always, be extremely careful when running these commands. One typo, or misapplication could cause serious damage to your system.

Posted in Windows.

No comments

By jeremy September 14, 2009

Reinstalling Cisco VPN Client for Vista

While working with a Vista PC, I came across a problem where I was unable to install the VPN client, yet it had already been uninstalled.

Error 28000: Before installing the Cisco Systems VPN Client 5.0.01.0530. you must uninstall the previous version of Cisco Systems VPN Client, using the Add/Remove Program Files option in the Control Panel.  Then restart your system.

After extensive searching, we came across this article which sheds some light on the subject.

Basically you need to create a .ini file which has the same name as the installer, in this case vpnclient_setup.ini . Copy and paste the following text into the document, and make sure that your installer, product name  and  versions match up with values below. If they do not, change them as you see fit.

After that has been completed, then run the installer with the /quiet flag from the command line (Example: `c:\vpnclient_setup.msi /quiet` ). There will be no feedback, and the computer will restart automatically.

[WiseInstaller]
Runtime9XVersion=2.0.2600.2
RuntimeNTVersion=2.0.2600.2
ProductFile=vpnclient_setup.msi
ProductCode={14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}
ProductVersion=5.0.1
ProductName=Cisco Systems VPN Client 5.0.01.0600
Remove Previous=1
AdminError=You must have administrator rights to run this installation. Please login as an administrator and re-run this installation.
ExistError=%s Version %s is already installed. You must uninstall the existing version before installing %s Version %s. Do you want to uninstall the existing version of %s?
SpaceError=Could not create temporary file, not enough free temporary disk space. Please free up disk space and rerun this installation.
WiseInitPrefix=Initializing
WiseInitSuffix=Wizard…
WiseInitLangPrompt=
WiseInitLangDefault=English,1033
Runtime9X=instmsi.exe
RuntimeSize9X=1708856
RuntimeNT=instmsiw.exe
RuntimeSizeNT=1822520
DelayReboot=1

Original Article:

http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f8e50899-4598-4f31-9802-15e46c7e827e

http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f8e50899-4598-4f31-9802-15e46c7e827e

Posted in Networking, Windows.

No comments

By john July 17, 2009

Remote Uninstall of Symantec Endpoint Protection 11 with CleanWipe

Symantec Endpoint Protection 11 has got to be one of the worst anti-virus products ever produced. Not only is it a resource hog, but it also will fill your entire hard drive with virus definition updates. I recently switched a client from SEP 11 to Kaspersky, a much better product IMO, and needed to remotely uninstall SEP 11. I wrote a batch file to accomplish the removal of SEP. There are several things you need to make the batch file work:

  1. pstools from Microsoft – psexec is what we’ll be using
  2. Windows 2003 Resource Kit Tools – we’ll be using robocopy
  3. CleanWipe from Symantec – you’ll need to call Symantec support for this one

There may be other ways of getting CleanWipe, but I wouldn’t know about them.

Once you’ve got these tools, extract CleanWipe to a folder, say c:\utilities\cleanwipe. Create a file in that folder called remote_uninstall_sep.cmd and paste the following script into it:

@echo off
if “%1″ == “” goto error

“c:\Program Files\Windows Resource Kits\Tools\robocopy.exe” . \\%1\c$\temp\cleanwipe
psexec \\%1 -w c:\temp\cleanwipe cmd.exe /c runcleanwipe.bat -silent
psexec \\%1 -w c:\temp cmd.exe /c rmdir /s /q cleanwipe
echo “Cleanwipe is finished”
goto end

:error
echo “missing argument!”
echo “usage remote_uninstall_sep <machinename>”

:end

You can then run the script as follows:

c:\utilities\cleanwipe>remote_uninstall_sep machinename

You’ll see the files being copied over and then cleanwipe starts its magic. Once it’s complete, SEP should be gone and you can install the AV program of your choice.

Posted in Windows.

8 comments

By john March 19, 2009

Shell script to copy a virtual machine in VMWare Server

The following script make will copy one virtual machine to another with VMWare Server. Note that this script assumes vmware-vdiskmanager is in your path. Simply go to the directory where your VMs are located and issue this command:

% ./copyVM.sh OLDVM NEWVM

Script:

#!/bin/sh
cp -a $1 $2
cd $2
vmware-vdiskmanager -n $1.vmdk $2.vmdk
mv $1.vmsd $2.vmsd
mv $1.vmx $2.vmx
sed -i “s/$1/$2/” $2.vmx
rm -f *.log
cd ..

Posted in Linux.

No comments

By john February 21, 2008

Making PostfixAdmin and MySQL play nice with hashed passwords

I recently setup a Postfix email server more or less following this tutorial on Howto forge. One feature I desired as part of my setup was PostfixAdmin, a web interface that enables easy administration of Postfix.

PostfixAdmin has a database schema that is different from the one described in the tutorial, but altering the Postfix configuration given in the tutorial to mesh with the PostfixAdmin schema was easier than I thought. It was simply a matter of editing the mysql-virtual*.cf files in /etc/postfix to point to the correct tables and fields in the updated schema.

The problem I ran into when trying to get PostfixAdmin working with the tutorial configuration was that the PostfixAdmin password hashing routines were not compatible with the the MySQL ENCRYPT function or the pam_mysql.so hashing routines. This is because MySQL’s ENCRYPT function and pam_mysql.so use the UNIX crypt() function by default to hash passwords. The crypt hashing algorithm is system dependent, but on my Ubuntu Feisty server, it was using DES. The pacrypt() function in PostfixAdmin’s functions.inc.php file was hashing passwords with MD5.

To make pacrypt() use DES encryption and allow for compatibility with MySQL and PAM, open config.inc.php in the base PostfixAdmin directory. Find the option called $CONF['encrypt'] and make sure it’s set to ’system’. Now open functions.inc.php and go to the pacrypt function. After the line

if ($CONF['encrypt'] == ’system’)

Insert the following code:

if ($pw_db == “”)
{
$salt = substr(create_salt(), 0, 2);
}

You will also need to change the line

if (ereg (“\$1\$”, $pw_db))

to

elseif (ereg (“\$1\$”, $pw_db))

These changes cause pacrypt() to generate a two character salt, which will cause the PHP crypt() function to hash the password with DES. This ensures your PostfixAdmin installation will be compatible with the MySQL ENCRYPT function and also pam_mysql.so.

Posted in Linux.

No comments

By john June 5, 2007

A routed VPN with DD-WRT and OpenVPN

A client of mine recently had need of a VPN link between their main office and a remote office. Based on previous experience, I decided the OpenVPN version of DD-WRT running on two low-cost routers would provide a cost-effective solution to the problem. My goal was to create a VPN that would allow systems on either side of the connection to have connectivity with systems on the other side, but not pass broadcast traffic. I also wanted the routers to automatically connect on startup and continually try to reconnect if Internet connectivity was lost. I couldn’t find any other documentation on the Interwebs that described this solution, so I decided to lay it out here on ShortBus.

Installing the Firmware
The first thing you will need is two routers capable of running DD-WRT. In my case, I chose two Buffalo WHR-G54S’s. Next, you will need to download the latest VPN version of DD-WRT. Make sure your get the right version for your brand of router. Finally, follow the firmware installation instructions making sure you check for any special procedure for your router. Buffalo routers require a unique procedure for the initial flash of DD-WRT.

The LAN subnets of the routers must be different for this configuration. This needs to be setup in the web interface of DD-WRT. For the purposes of this tutorial, the OpenVPN server subnet is 192.168.1.0/255.255.255.0 and the OpenVPN client subnet is 192.168.2.0/255.255.255.0

Creating OpenSSL Keys
The next step is to generate Public Key Infrastructure (PKI) certificates and keys for your routers. The easiest way to do this is to download a copy of OpenVPN onto your local system. If you use Ubuntu Linux, you can do this with

# apt-get install openvpn

The key generation scripts are located in /usr/share/doc/openvpn/examples/easy-rsa. cd there and follow the PKI generation instructions on the OpenVPN web site. You need to generate a client cert/key pair the server and one for each client. Be sure to give each client certificate a unique Common Name.

Creating the DD-WRT Startup Scripts
The procedure here is to generate the OpenVPN config files and cert/key files from the startup script in /tmp on each boot.

Replace the …INSERT YOUR OWN CONTENT HERE… with the certs/keys generated in the last section.

rc_startup – server

# all files will be created in /tmp
cd /tmp
openvpn –mktun –dev tun0
ifconfig tun0 10.8.0.1 netmask 255.255.255.0 promisc up

echo \”
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tun0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of –ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
client-config-dir ccd
route 192.168.2.0 255.255.255.0
client-to-client
server 10.8.0.0 255.255.255.0
push \\\”route 192.168.1.0 255.255.255.0\\\”
push \\\”route 192.168.2.0 255.255.255.0\\\”

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer’s signed certificate
key server.key # Local peer’s private key
\” > openvpn.conf

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > ca.crt
echo \”
—–BEGIN RSA PRIVATE KEY—–
…INSERT YOUR OWN CONTENT HERE…
—–END RSA PRIVATE KEY—–
\” > server.key
chmod 600 server.key
echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > server.crt
echo \”
—–BEGIN DH PARAMETERS—–
…INSERT YOUR OWN CONTENT HERE…
—–END DH PARAMETERS—–
\” > dh1024.pem

#Client routing setup
mkdir ccd
echo \”
iroute 192.168.2.0 255.255.255.0
\” > ccd/client1

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –config openvpn.conf

This configuration file will allow clients on either subnet to see clients on the other subnet (see addendum at the end of this post for a problem I ran into with this). The push lines push the routes to each client. This allows for file sharing, client/server communication, etc. between subnets without passing broadcast traffic across the VPN, which it what would happen if we created a bridged connection with a tap interface. For more information on what each parameter does, see the openvpn man page or HOWTO.

In the second-to-last section

rc_startup – client

cd /tmp
openvpn –mktun –dev tun0

echo \”
# Tunnel options
client # Set OpenVPN major mode
dev tun0 # TUN/TAP virtual network device
proto udp # Setup the protocol (server)
remote <SERVER WAN ADDRESS> 1194 # TCP/UDP port number
resolv-retry infinite
nobind
daemon
persist-key
persist-tun
ca ca.crt # Certificate authority (CA) file
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo # Use fast LZO compression
verb 3 # Set output verbosity to n
\” > openvpn.conf

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > ca.crt

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > client1.crt

echo \”
—–BEGIN RSA PRIVATE KEY—–
…INSERT YOUR OWN CONTENT HERE…
—–END RSA PRIVATE KEY—–
\” > client1.key
chmod 600 client1.key

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –config openvpn.conf

This client configuration will continuously retry to connect to the server. If the Internet connection goes down, the VPN link will reconnect when Internet connectivity is restored.

rc_firewall – client and server

/usr/sbin/iptables -I INPUT 2 -p udp –dport 1194 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

The firewall rules can be used on both the client and server.

These files need to be saved in the router’s flash memory with the nvram set command. We will be saving rc_startup and rc_firewall scripts for both the server and client. Execute the commands below for both the client and server, pasting the appropriate file where indicated:

# nvram set rc_startup=”
><paste rc_startup here>
>”
# nvram set rc_firewall=”
><paste rc_firewall here>


>”
# nvram commit

Testing The Connection
This setup can be tested on a LAN by connecting the WAN ports of each router to your LAN switch. Enable remote administration in the DD-WRT web interface so you can login to both routers. Also, the LAN subnet you are testing on must not be the same as either of the router LAN subnets. In this case, it could be 192.168.10.0/255.255.255.0.

Once the startup scripts have been saved to flash memory, reboot both routers. SSH into both routers and check that openvpn is running with # ps | grep myvpn. If it is running, congratulations, you have a VPN link. If it is not running on one or both routers, uncomment the daemon line in /tmp/openvpn.conf and start openvpn manually with # /tmp/myvpn –config openvpn.conf. You should receive an error message on the console to help with debugging. I found it very handy to put OpenVPN in the background by issuing a CTRL-Z and then bg. This allows you to issue commands but still see any error messages echoed to the console. If your connection is established but you can’t ping across it, check the OpenVPN FAQ.

Conclusion
If you followed this correctly, you should now have a routed VPN network allowing systems on both the server and client side to ping and connect to systems on the other side.

Addendum
I did run into one strange problem that has me stumped. Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does work correctly if the server is in daemon mode. If I take the daemon line out of the server configuration file and restart OpenVPN, packets are routed correctly. Routing from the client subnet to the server subnet works correctly either way. If anyone knows why this is, please leave a comment.

Posted in Linux, Networking.

No comments

By john May 7, 2007

Monitor Linux RAID Array via Email

So you’ve just setup your shiny new Linux server with RAID Level 1 (mirroring) to ensure that even if you have a hard drive crash, your system will continue to operate. Great idea, but how will you know if one of your hard drives is hemorrhaging data? That’s where this handy script comes in. You RAID status can be checked with the /proc/mdstat file. First, you need to take a snapshot of your healthy /proc/mdstat file.

# cat /proc/mdstat > /root/mdstat

This will save the file in root’s home directory. You can save the file anywhere, but make sure user write permissions are disabled. Here’s the bash script to monitor your RAID array.

#! /bin/bash
# emails root if there is a problem with the raid array

TO=”root”
CC=”youraccount@gmail.com”
SUBJECT=”raid array problem on linux server”
HEALTHYFILE=/root/mdstat
MDSTAT=/proc/mdstat

if ! diff $HEALTHYFILE $MDSTAT &>/dev/null; then
cat /proc/mdstat | mail -s “$SUBJECT” -c “$CC” $TO
fi

Save the script, set it to be executable and add it to your /etc/crontab. I run it once a day. If you are running Fedora, you can just drop it in your /etc/cron.daily folder and you’re good to go. If one of the drives in your RAID array goes down, you’ll receive an email with the contents of /proc/mdstat.

Posted in Linux.

1 comment

By john February 17, 2007