Category: Computers & Technology

How to get tcpdump from Virtual Switches in ESX 3

1) Install VMware-esx-supptools-3.0.0-1.i386.rpm from the ESX 3 cd.

2) You can then run “/usr/lib/vmware/support/esxnet-support man” and learn how to use the tool, but …

3) To get a trace from the portgroup, you’ll need to run:

/usr/lib/vmware/support/esxnet-support trace -z -p Network0

Network0 of course will need to change to your portgroup name.

Another thing you can do is create a portgroup and put it in promiscuous mode. Then, run tcpdump in that guest that’s in that portgroup.

How to install VMware Tools in Trustix Secure Linux

How to install VMware Tools

This is taken from: http://www.trustix.net/wiki/index.php/VMwareTools

How to install VMware Tools

This has (so far) only been verified to work on VMware Workstation v5.5 and a TSL 3.0 installation with the following groups installed: “Minimal with SSH”, “Commonly used local utilities” and “Commonly used network utilities”; a typical, almost minimal, TSL system.

Required packages

You need the following packages installed on the system to get VMware Tools to compile the needed modules (other packages may be installed due to dependencies):

make
gcc
glibc-devel
kernel-source

All in one using swup:

swup --install make gcc kernel-source glibc-devel

n.b. –ignore-filter may be required on TSL 2.2 to allow kernel-source to be installed.

Configure kernel-source

VMware tools won’t compile if you have not configured and prepared the kernel-source.

  • The kernel-source installs itself in /usr/src/kernel-source-<version>. You should link this folder to /usr/src/linux:
cd /usr/src
ln -s kernel-source-<version> linux

We also need to copy the kernel config file into our kernel-source:

cp /boot/config-<version> /usr/src/linux/.config
  • Lets prepare the kernel-source for VMware Tools:
cd /usr/src/linux
make oldconfig
make modules_prepare

n.b. With TSL 2.2 use ‘make dep’ in place of ‘make modules_prepare’.

Install VMware Tools

Having your TSL 3.0 installation active, release the lock (CTRL+ALT) and go to the menu and choose:

VM -> Install VMware Tools..

Mount the virtual CD-ROM containing the VMware tools and install the rpm there. Then unmount it.

mount /mnt/cdrom
rpm -Uhv /mnt/cdrom/VMwareTools-<version>-i386.rpm
umount /mnt/cdrom

Compile and configure VMware modules for TSL

To finish the VMware Tools installation we run the VMware tools configure script and it will compile the VMware Tools modules:

vmware-config-tools.pl

Answer yes to all questions and all but the X Windows display driver is configured. See below for X Window driver support.

Optimized network driver – VMXnet

When TSL 3.0 was installed as guest OS it found and installed the pcnet32 driver. You could stick with it, but I would recommend you change it for the optimized vmxnet driver which was just compiled. The following instructions are displayed after vmware-config-tools.pl finish to help you replace the network driver:

service network stop
rmmod pcnet32
rmmod vxnet
vi /etc/modprobe.conf /etc/mkinitrd/modules <-- change vmnics to vmxnet
tsl-fixboot.sh --install <kernel-version>
depmod -a
modprobe vmxnet
service network start

X Window

You need the following packages installed to have the X Window driver compile (other packages may download and install due to dependencies):

xorg-x11
xorg-x11-devel

As always, you may install them all in one using swup:

swup --install xorg-x11 xorg-x11-devel

Now run vmware-config-tools.pl again to compile the svga driver:

vmware-config-tools.pl

NB! You may get a warning about not being able to compile the vmxnet driver. Just ignore that. You already have it installed if you followed the instructions above.

Please note, this will only give you a minimalistic xorg-x11 without gnome or another DE/WM. I would recommend you check out the Desktop Environment section to get a fully working and useful desktop.

If you get the error when compiling the tool: “The kernel defined by this directory of header files does not have the same address space size as your running kernel.”

The way I fixed it was just by using a newer version of VMware-tools. I used the source from ESX 3.0 and you can search on the web and you should be able to find it.

How to Set Up DNS Blacklisting in a Lab Environment for Test

This is a very simple setup for those who have a lab environment where they do not want to be connected to the public Internet while doing the testing.

Some background:

The way dnsbl works is that when a connection is made to your mail server, it will take the client’s IP address, reverse it, append a domain onto it, and do a dns A or TXT record lookup for that name.

For example, if a spammer’s IP is 10.4.17.108, and you are using spam.list.com as your dnsbl site, your MTA will do a query for 108.17.4.10.spam.list.com. If the query returns positive, it means that the IP address is listed in the blackhole list and that mail should be rejected.

So the first thing you will need to do is set up a simple dns server. You can find out how to do that by consulting the DNS & Bind book or http://docs.sun.com/db/doc/816-7511 or various other sources.

Then, you need to set up a zone. Here's a sample:
 
# cat /var/named/spam.list.com
 
$TTL 86400 
@ 1D IN SOA @ root (
  42 ; serial
 3H ; refresh
 15M ; retry
 1W ; expiry
 1D ) ; minimum
NS localhost.
 A 10.4.16.11
108.17.4.10 IN A 127.0.0.2
108.17.4.10 IN TXT "10.4.17.108 is listed in spam.list.com"

With this in tact, all you need to do is set up your MTA to use spam.list.com for dnsbl calls.

lost vmfs volume – says 100% available – SAN LUN, storage pr

1) fdisk -l

this would show which device doesn’t have a partition.

2) dd if=/dev/sd(x) of=/tmp/dump_sdx.txt count=100 bs=1024

file /tmp/dump_sdx.txt shows x86 boot sector.

strings /tmp/dump_sdx.txt shows some vmdk files

3) fdisk -lu /dev/sd(x) shows that there are no partitions on the disk.

4) ran fdisk /dev/sd(x). created new partition spanning entire lun and then used partition type fb.

5) run “vmkfstools -V”

That’s it

Synchronizing with time server: [FAILED]

ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]

When does it do the sync?

# Synchronize with servers if step-tickers exists

# or the -x option is used
echo -n $”$prog: Synchronizing with time server: ”
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure It does the sync when the /etc/ntp/step-tickers file is there. [root@localhost ~]#

cat /etc/ntp/step-tickers
time.vmware.com

Why would this happen? Strange stuff…

[root@localhost ~]# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[root@localhost ~]# ntpdate time.vmware.com
28 Jun 10:49:44 ntpdate[25663]: step time server 10.16.12.148 offset 90.895171 sec

The ntpdate command doesn’t fail … wonder why… tail /var/log/messages shows:
Jun 28 10:52:31 localhost ntpd: ntpd shutdown failed
un 28 10:52:31 localhost ntpdate[26038]: can’t find host time.vmware.com
Jun 28 10:52:31 localhost ntpdate[26038]: no servers can be used, exiting
Jun 28 10:52:31 localhost ntpd: failed
Jun 28 10:52:31 localhost ntpd[26043]: ntpd [email protected] Wed Nov 17 15:43:55 EST 2004 (1)
Jun 28 10:52:32 localhost ntpd: ntpd startup succeeded

Can’t find host? Why’s that? Let’s try using the IP address instead of the name in the step-tickers file. Well, the IP address fixes it in Redhat Enterprise Linux 4, but I had this problem with ESX server (based on Redhat 7.2).

The problem was
[root@localhost ~]# file /etc/ntp/step-tickers
/etc/ntp/step-tickers: ASCII text, with CRLF line terminators The file was a DOS file. When the problem was in ESX, I was able to see the ^M character in /var/log/messages, so I was able to fix it after finding that. Fun stuff huh?

Interesting time issue …

Interesting Time issue in Linux.<-->

To complicate things a little, this was Redhat Enterprise Linux 4 update 2 in a VMware VM – reason why it makes it a little more complicated is because that there’s a time problem for Virtual Machines – in virtualization, you can’t afford to give the clock ticks that the older 2.6 kernels ask for (default 1000HZ). You can read more on it here: http://www.vmware.com/vmtn/resources/238.

So in this case, virtualization wasn’t the problem.

Here’s where I started:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

date

Mon Feb 13 18:25:28 UTC 2006

ls -ld /etc/localtime

lrwxrwxrwx 1 root root 35 Feb 13 18:25 /etc/localtime -> /usr/share/zoneinfo/America/Chicago

cat /etc/sysconfig/clock

ZONE=”America/Chicago”

UTC=false

ARC=false

run hwclock – it just gives you the prompt back.

date -s “Feb 13 20:25:28 PST 2006”

run date and get

Mon Feb 13 04:25:28 UTC 2006

run setup – go through the options set it to America/Chicago and still … UTC … why!?

set:

export TZ=America/chicago

still … date shows UTC!

reboot the Vm, go into the bios … same thing …. why!!??

zdump -v America/Chicago … shows a bunch of bullshit – nothing that helps.

finally:

rpm -qf /usr/share/zoneinfo/America/Chicago

rpm –verify tzdata-2004e-2

S.5….T. /usr/share/zoneinfo/America/Chicago

S.5….T. /usr/share/zoneinfo/CST6CDT

S.5….T. /usr/share/zoneinfo/SystemV/CST6CDT

S.5….T. /usr/share/zoneinfo/US/Central

ahh … wonder how the files got changed. Anyways, it doesn’t matter.

reinstalled rpm

rpm –force -Uvh tzdata-2004e-2.noarch.rpm

Now run:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

Now the date’s okay … cool deal!

mysql commands – create database / set permissions

/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h chunli.shocknetwork.com password ‘new-password’

mysql -u root -p -e “create database <dbname>”
mysql -u root -p -e “grant all on <dbname>.* to <user>@localhost identified by ‘<password>'”

Sendmail routing through Microsoft Active Directory

Sendmail routing through Microsoft Active Directory

To give credit where credit is due, the attachment was sent to me from Randy Fox from csgsystems. There’s one bug with public folders. The workaround is to create a mailing list by the same name and make the public folder a member of the list.

If you’re reading this, you are probably running a Microsoft Exchange
Server or probably currently already have sendmail relaying to an Exchange
Server and want to improve your setup.

Most sendmail to exchange setups will take mail and blindly relay the mail
over. If yours is like this, you will know that you get email bounces that
can go nowhere because most of the initial intentions of the emails were
for spam and they would just send messages to users that they don’t know
even exist. A major problem with this is that it will hold up your sendmail
queue and hinder your performance as it will try to send these emails just
as much as the ones that are important and need to be sent out immediately.
This article will show you how to use sendmail’s ldap features to look into
the Active Directory to see where the mail should go and have sendmail send
it there. By having sendmail look into the Active Directory, it will know
whether users exist and will stop immediately after the “RCPT TO” in the
envelope if users don’t exist, eliminating the useless, bounce emails that
never get anywhere.

This procedure is not fully supported by Sun support because of the amount
of customization required.

First off, you will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.8+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don’t.

The Microsoft Active Directory is a different ldap server than your typical
ldap server, so you will want to browse the directory and learn more about
how it’s designed. You will need to find or create a user that can browse
the Active Directory.

For the sake of simplicity, this example will use the Administrator userid
and his password to bind to the Active Directory server and find view its
contents.

For Solaris 8-9, if you have the SUNWlldap package installed, you can use
the ldapsearch command located /usr/bin. Run something like:

/usr/bin/ldapsearch -L -D “cn=Administrator, cn=Users, dc=domain, dc=com” \
-h domaincontroller.domain.com -b “dc=domain,dc=com” objectclass=* \
> /tmp/active_directory.ldif

It will ask you for a password. You want to input the Windows
Administrator’s password there. You can open the /tmp/active_directory.ldif
file and read it and you can find a lot of the information in the directory
server.

If you do not have the ldapsearch command, while logged in as Administrator
on the Exchange server, you can achieve a similar result in Windows with

ldifde -f c:\temp\export.ldif -v

Upon knowing what’s in the Active Directory, you can proceed to plug this
data into your sendmail configuration.

Because the Active Directory is a little different from your standard ldap
server, some hacks are required to make sendmail work.

You want to go into your /usr/lib/mail/hack directory. You can create it if
the directory isn’t there. (The files are attached.) In there, you want to create a file called
AD_ldap_routing.m4 and inside of it have:

divert(-1)
#
# Copyright (c) 1999-2001 Sendmail, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

divert(0)
VERSIONID(`$Id: ldap_routing.m4,v 8.8 2001/06/27 21:46:31 gshapiro Exp $')
divert(-1)

# Check first two arguments. If they aren't set, may need to warn in proto.m4
ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')
ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')

# Check for third argument to indicate how to deal with non-existant
# LDAP records
ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 `define(`_LDAP_ROUTING_', `_MUST_EXIST_')')

# Check for fouth argument to indicate how to deal with +detail info
ifelse(len(X`'_ARG4_), `1', `',
 _ARG4_, `strip', `define(`_LDAP_ROUTE_DETAIL_', `_STRIP_')',
 _ARG4_, `preserve', `define(`_LDAP_ROUTE_DETAIL_', `_PRESERVE_')')

LOCAL_CONFIG
# LDAP routing maps
Kldapmh ifelse(len(X`'_ARG1_), `1',
 `ldap -1 -v msExchHomeServerName,msExchExpansionServerName -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG1_')

Kldapmra ifelse(len(X`'_ARG2_), `1',
 `ldap -1 -v targetAddress -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG2_')

The next step is to make the modifications to your .mc file.

The first feature we should add is a mailertable to tell sendmail where to
send mail with different ldapsearch results.

So we add the line:
FEATURE(`mailertable’)

To add the ldap features into sendmail. Add the lines (of course, you put
in your domains):
HACK(`AD_ldap_routing')
LDAPROUTE_DOMAIN(`domain.com')dnl # what domain to do ldap lookups for.
LDAPROUTE_DOMAIN(`secondarydomain.com')dnl # alternate domain to do ldap lookups for.

You then need to specify your Active Directory settings (this all fits on
one line). You will also need to create the file /etc/mail/ldap.passwd. (We
will do this later)

define(`confLDAP_DEFAULT_SPEC',`-h domaincontroller.domain.com -M simple -d "cn=Administrator, cn=Users, dc=domain, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain, dc=com"')

We will now have to add some custom rulesets. There’s also one line you need to change here:

R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

Make it match your organzation. You can find this by looking at your
active_directory.ldif file and seeing
the msExchHomeServerName attribute. Every user entry should have something
like:

msExchHomeServerName: /o=Domain/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=domaincontroller

With that, you just strip off the last cn= and make spaces in between.

LOCAL_NET_CONFIG
R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . > $3 internal addr delivered to host
R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 . > $4 internal w/host

# Begin custom LDAP rule set.
# the following lines are essentually copied from the proto.m4 file. They are entered here to maintain the proper,
# original flow control but process the Active Directory response properly.
# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name

# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 [email protected]

# handle locally delivered names
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names

SLDAPExpand
#do the LDAP lookup for the Exchange Mail Host
R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3>

# if mailRoutingAddress (targetAddress) and local or non-existant mailHost,
# return the new mailRoutingAddress
R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1
R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1

# fix hostname in Mailertable, relay from there
R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1

# if no mailRoutingAddress and local mailHost,
# return original address
R<> <$=w> <$+> <$+> <$*> $@ $2

# if no mailRoutingAddress and non-local mailHost,
# relay to mailHost (Exchange Server) with original address
# "de-AD" response at same time
# You'll need to do the query manually the find the proper stuff to pull out
R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

# if still no mailRoutingAddress and no mailHost,
# try @domain
R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4>

# if no mailRoutingAddress and no mailHost and this was a domain attempt,
# return the original address
R<> <> <$+> <@ $+> <$*> $@ $1
# End of custom LDAPExpand rule set

You now want to create your cf file.

/usr/ccs/bin/m4 ../m4/cf.m4 file.mc > file.cf

Now that we’re done with the cf file, we need to supply the other files to
the configuration.
Create the ldap.passwd file:
echo “activedirectorypassword” > /etc/mail/ldap.passwd

Create the mailertable to tell sendmail where to send the mail. When we
stripped the last cn= off of the msExchHomeServerName, we will take that
and put it here. So my /etc/mail/mailertable will look like:
cn=domaincontroller esmtp:exchangeserver.domain.com

After you create this file, you will need to put it in the database for
sendmail to read it. Do this by running the command:
makemap -v hash /etc/mail/mailertable < /etc/mail/mailertable

You will also need to tell sendmail that you take mail for the domain as
well, so you want to put your domain in /etc/mail/local-host-names.
echo “domain.com” > /etc/mail/local-host-names

Now we will need to restart sendmail and test it. Run a command like this
for a user in the Active Directory:
/usr/lib/sendmail -bv [email protected]

You should see: [email protected]… deliverable: mailer esmtp, host
domaincontroller.domain.com, user [email protected]

If you run the same command on a user that’s not in the Active Directory,
you should get:
/usr/lib/sendmail -bv [email protected]
[email protected]… User unknown

Once you’ve got this, you’re all set!

————————————————————————————————————-
Some ideas on troubleshooting:

If you see
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer relay, host cn=exchangeserver, user
[email protected]

You probably forgot the mailertable. The mailertable translates the cn=host
to the actual host and tells it which protocol to use to send the mail. In
our case, we use esmtp.

If you see something like this:
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer esmtp, host domain.com., user
>/o=domain/ou=First.Administrative.Group/cn=Configuration/cn=Servers/[email protected]@domain.com<

You have the wrong data in the area where it says:
# relay to mailHost (Exchange Server) with original address
# “de-AD” response at same time
in the sendmail.mc file.

 

Because it’s hard to read the .mc file stuff in the text, you can download the files here: AD_Routing.tar