Axelilly's Ponderings

Can’t mount a Windows 2008 share?

axelilly — Tue, 27 Sep 2011 14:34:18 +0000

If you are trying to mount a Windows 2008 (or potentially other versions of windows) share using mount.cifs and you keep getting an input/output error like the one below, then read on.

[jason@superfreak ~]$ sudo mount //powerhouse-smb.mydomain.com/LogFiles /mnt/ecomm/ -tcifs -orw,username=doctor
Password:
mount error 5 = Input/output error
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

The error reporting that is provided by mount.cifs is really not that good. That input/output error could really mean anything. Let’s use smbclient to attempt a connection to the share. smbclient is sort of like a FTP client, but used to connect to a SMB share. However, the real reason why we are using it is because it gives much more detailed error reporting by default. Also, you could increase the debug level to some truly insane detail.

[jason@superfreak ~]$ smbclient //powerhouse-smb.mydomain.com/LogFiles -U doctor
Enter doctor’s password:
Domain=[POWERHOUSE] OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
tree connect failed: NT_STATUS_DUPLICATE_NAME

Finally, some more detail. The error message ‘NT_STATUS_DUPLICATE_NAME’ indicates that the connection was denied by the windows server because the destination host name that I provided was different then the computer name set on the actual destination server. This is a security feature in Windows Server 2008 (and likely other versions of Windows). In my case this is because I access the server through a load balancer. There is a special virtual service on the load balancer to allow the SMB connection into the server. However, for you the mismatch might be caused by a alias in your hosts file, bad DNS entry or simply even a mistype.

Now try the mount operation using the IP addresses instead of the hostname. Using just the IP address will not cause that security check to trip. Now it should work with no issues.

Happy Hacking.

View the contents of a SSL cert.

axelilly — Wed, 14 Sep 2011 17:45:36 +0000

Did you just find a thisserver.crt file on your machine and you want to check the details of what it’s for? In other words you have a SSL certificate that you want to decode.

You need to be on Linux and have OpenSSL installed. Then use the x509 module:

openssl x509 -text -in thisserver.crt

Enjoy!

Add and remove SCSI hot to linux.

axelilly — Thu, 04 Aug 2011 15:24:35 +0000

I do file restores from snapshots using a linux server. In my case it’s Centos.

I do this by creating a disk resource from a snapshot on my IPStor SAN. Then I assign the new resource to all nodes of my HQ VMWare cluster.

Create a disk resource from a snapshot on my IPStor SAN.
Assign the new resource to all nodes of my HQ VMWare cluster.
In VMWare, set the path settings for the new FC resource to round robin. (Do this on each node in the cluster.)
Add the resource to the restore linux server as a Raw Device Mappings.
SSH into Linux server used for doing restores.
Rescan the SCSI bus in order to make the new device available for mount. Replace the “X” with the proper host number.

echo “- – - ” > /sys/class/scsi_host/hostX/scan

View the /var/log/messages file in order to determine what block device ID this resource has showed up as. In the example output, you will notice in green that this resource is registered as block device sdb1. Look for some output like this:

Aug  4 10:48:28 zenoss ntfs-3g[7273]: Unmounting /dev/sdb1 (Users)
Aug  4 11:06:22 zenoss kernel:   Vendor: VMware    Model: Virtual disk      Rev: 1.0
Aug  4 11:06:22 zenoss kernel:   Type:   Direct-Access                      ANSI SCSI revision: 02
Aug  4 11:06:22 zenoss kernel:  target0:0:1: Beginning Domain Validation
Aug  4 11:06:22 zenoss kernel:  target0:0:1: Domain Validation skipping write tests
Aug  4 11:06:22 zenoss kernel:  target0:0:1: Ending Domain Validation
Aug  4 11:06:22 zenoss kernel:  target0:0:1: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 127)
Aug  4 11:06:22 zenoss kernel: SCSI device sdb: 1572864000 512-byte hdwr sectors (805306 MB)
Aug  4 11:06:22 zenoss kernel: sdb: Write Protect is off
Aug  4 11:06:22 zenoss kernel: sdb: cache data unavailable
Aug  4 11:06:22 zenoss kernel: sdb: assuming drive cache: write through
Aug  4 11:06:22 zenoss kernel: SCSI device sdb: 1572864000 512-byte hdwr sectors (805306 MB)
Aug  4 11:06:22 zenoss kernel: sdb: Write Protect is off
Aug  4 11:06:22 zenoss kernel: sdb: cache data unavailable
Aug  4 11:06:22 zenoss kernel: sdb: assuming drive cache: write through
Aug  4 11:06:22 zenoss kernel:  sdb: sdb1
Aug  4 11:06:22 zenoss kernel: sd 0:0:1:0: Attached scsi disk sdb
Aug  4 11:06:22 zenoss kernel: sd 0:0:1:0: Attached scsi generic sg1 type 0

Make sure that you can see the new resource.

cat /proc/scsi/scsi

Mount the new resource to a available mount spot.

mount /dev/sdb1 /mnt/recover1

Do your restore by copying off the files that you need….yada yada yada
Now it is time to unmount and disconnect the restore resource.
unmount the block device:

umount /dev/sdb1 /mnt/recover1

Delete the SCSI resource from the SCSI bus:

echo “scsi remove-single-device a b c d” > /proc/scsi/scsi
a == hostadapter id (first one being 0)
b == SCSI channel on hostadapter (first one being 0)
c == ID
d == LUN (first one being 0)

Make sure the resource is gone.

cat /proc/scsi/scsi

Now remove the RDM from the virtual host.
Remove SAN assignment of the snapshot resource from VMWare cluster.
Have vmware hosts rescan their FC connectsions.
Delete snap shot resource from SAN.
You are done.

Empathy needs a OTR plugin.

axelilly — Mon, 25 Jul 2011 15:37:18 +0000

I just switched over to using Empathy for my IM client. I really like it better then Pidgin because it has much smoother integration with GNOME3 and is slicker looking. However, one of the things that it is really lacking is the fact that it doesn’t have plugins. Since it doesn’t have plugins, I can’t use encryption such as OTR (Off The Record).

I hope the Empathy fairies here this and that OTR gets added some time.

TFTP new software onto ASA from a TFTP server on other side of VPN tunnel.

axelilly — Fri, 22 Jul 2011 17:49:57 +0000

If you need to TFTP new software (or any other file for that fact) onto a ASA from a TFTP server that is on the other side of a VPN tunnel, you will need to specify the source interface for the TFTP client to use.

The easiest way to do this, is to specify it inline with the copy command:

 copy tftp://192.168.1.30/ASA/asa842-k8.bin;int=INSIDE-management disk0:/asa842-k8.bin

Where, 192.168.1.30 is the IP of the TFTP server. INSIDE-management should be replaced with whatever interface you want to use as source.

No security exception for SSL EV certificates in Fire Fox 3.6.17

axelilly — Wed, 18 May 2011 14:05:12 +0000

Today I learned something new about Fire Fox 3.6.17. I was migrating a SSL EV certificate from a IIS server onto a Virtual Server that is located on a KEMP LoadMaster. This test server on the LM is running a prototype/test site. Therefore, the domain name doesn’t match the domain name that the SSL cert was created for. This normally will create a SSL name mismatch error in the web browser. This error normally can then be bypassed by the user, this process is called “Security Exception” in Fire Fox. I went to add this exception and found that Fire Fox wouldn’t allow me to add it. What’s interesting is that the exception window tells you that the identification of the certificate is so positive that there is no reason for you to add an exception.
This site provides valid, verified identification. There is no need to add an exception.

I think this is a good thing. It really helps make the EV certificates more strong and adds value to them. I guess I’ll go back to using a self signed certificate for testing.

No security exception.

suid, sgid, sticky bit

axelilly — Wed, 15 Dec 2010 16:38:03 +0000

Great quick reference article on suid, sguid and sticky bit.

http://www.zzee.com/solutions/linux-permissions.shtml

What do the ‘ls’ colors mean in BASH?

axelilly — Wed, 15 Dec 2010 16:27:35 +0000

Ever wonder what all the default colors outputed by ls in BASH mean? These are some of the common default ones:

Executable files: Green
* Normal file : Normal
* Directory: Blue
* Symbolic link : Cyan
* Pipe: Yellow
* Socket: Magenta
* Block device driver: Bold yellow foreground, with black background
* Character device driver: Bold yellow foreground, with black background
* Orphaned syminks : Blinking Bold white with red background
* Missing links ( – and the files they point to) : Blinking Bold white with red background
* Archives or compressed : Red (.tar, .gz, .zip, .rpm)
* Image files : Magenta (.jpg, gif, bmp, png, tif)

Ganked from: http://www.cyberciti.biz/tips/where-is-color-of-ls-command-defined.html

Ping inside interface of ASA accross a VPN tunnel.

axelilly — Thu, 14 Oct 2010 16:15:09 +0000

Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.

Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside

Monitoring station —> 192.168.1.10
Inside interface —> inside

Notes on ASA 8.3 NAT

axelilly — Wed, 13 Oct 2010 15:19:04 +0000

Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.

This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:

https://supportforums.cisco.com/docs/DOC-12324

Here are some quick notes that I have gathered for my reference. Feel free to post any additional comments and notes you may have to share:

COMMANDS

show run objects

(Displays network and service objects that are in the running confg)

show run object id

(Displays a specific object)

show run nat

(Displays running config NAT configurations)

show nat

(Displays NAT policies and counters)

Use packet-tracer for testing NAT (and other things)

packet-tracer input inside tcp 10.0.0.40 4444 198.133.219.25 80

Configure Auto-NAT:

object network inside
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic interface

Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.

Configure Twice(manual) NAT:

nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com

Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.

Exempt subnets from NAT because of VPN tunnel:

nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets

This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.

General Notes:

ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.

With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.