How to install VMware Tools in Trustix Secure Linux

How to install VMware Tools

This is taken from: http://www.trustix.net/wiki/index.php/VMwareTools

How to install VMware Tools

This has (so far) only been verified to work on VMware Workstation v5.5 and a TSL 3.0 installation with the following groups installed: “Minimal with SSH”, “Commonly used local utilities” and “Commonly used network utilities”; a typical, almost minimal, TSL system.

Required packages

You need the following packages installed on the system to get VMware Tools to compile the needed modules (other packages may be installed due to dependencies):

make
gcc
glibc-devel
kernel-source

All in one using swup:

swup --install make gcc kernel-source glibc-devel

n.b. –ignore-filter may be required on TSL 2.2 to allow kernel-source to be installed.

Configure kernel-source

VMware tools won’t compile if you have not configured and prepared the kernel-source.

  • The kernel-source installs itself in /usr/src/kernel-source-<version>. You should link this folder to /usr/src/linux:
cd /usr/src
ln -s kernel-source-<version> linux

We also need to copy the kernel config file into our kernel-source:

cp /boot/config-<version> /usr/src/linux/.config
  • Lets prepare the kernel-source for VMware Tools:
cd /usr/src/linux
make oldconfig
make modules_prepare

n.b. With TSL 2.2 use ‘make dep’ in place of ‘make modules_prepare’.

Install VMware Tools

Having your TSL 3.0 installation active, release the lock (CTRL+ALT) and go to the menu and choose:

VM -> Install VMware Tools..

Mount the virtual CD-ROM containing the VMware tools and install the rpm there. Then unmount it.

mount /mnt/cdrom
rpm -Uhv /mnt/cdrom/VMwareTools-<version>-i386.rpm
umount /mnt/cdrom

Compile and configure VMware modules for TSL

To finish the VMware Tools installation we run the VMware tools configure script and it will compile the VMware Tools modules:

vmware-config-tools.pl

Answer yes to all questions and all but the X Windows display driver is configured. See below for X Window driver support.

Optimized network driver – VMXnet

When TSL 3.0 was installed as guest OS it found and installed the pcnet32 driver. You could stick with it, but I would recommend you change it for the optimized vmxnet driver which was just compiled. The following instructions are displayed after vmware-config-tools.pl finish to help you replace the network driver:

service network stop
rmmod pcnet32
rmmod vxnet
vi /etc/modprobe.conf /etc/mkinitrd/modules <-- change vmnics to vmxnet
tsl-fixboot.sh --install <kernel-version>
depmod -a
modprobe vmxnet
service network start

X Window

You need the following packages installed to have the X Window driver compile (other packages may download and install due to dependencies):

xorg-x11
xorg-x11-devel

As always, you may install them all in one using swup:

swup --install xorg-x11 xorg-x11-devel

Now run vmware-config-tools.pl again to compile the svga driver:

vmware-config-tools.pl

NB! You may get a warning about not being able to compile the vmxnet driver. Just ignore that. You already have it installed if you followed the instructions above.

Please note, this will only give you a minimalistic xorg-x11 without gnome or another DE/WM. I would recommend you check out the Desktop Environment section to get a fully working and useful desktop.

If you get the error when compiling the tool: “The kernel defined by this directory of header files does not have the same address space size as your running kernel.”

The way I fixed it was just by using a newer version of VMware-tools. I used the source from ESX 3.0 and you can search on the web and you should be able to find it.

setup STARTTLS with sendmail and openSSL

STEP 1: Enable STARTTLS in sendmail: 1. Install openSSL (http://www.openssl.org) as described in the openSSL’s INSTALL
file. After installation, be sure that the openSSL program is in your path
(cp /usr/local/ssl/bin/openssl /usr/bin), otherwise the CA.pl program does
not work. 2. Create or edit /usr/src/sendmail-8.12.7/devtools/Site/site.config.m4 and
insert the following lines: APPENDDEF(`confINCDIRS’, `-I/usr/local/ssl/include’)
APPENDDEF(`confLIBDIRS’, `-L/usr/local/ssl/lib’)
APPENDDEF(`conf_sendmail_ENVDEF’, `-DSTARTTLS’)
APPENDDEF(`conf_sendmail_LIBS’, `-lssl -lcrypto’) 3. Rebuild and install sendmail with the -c option (see README in
devtools/Site): cd /usr/src/sendmail-8.12.7
./Build -c
./Build install 4. Check to see if sendmail is compiled with STARTTLS: /usr/sbin/sendmail -d0.1 -bp 5. Edit /usr/src/sendmail-8.12.7/cf/cf/sendmail.mc and insert the following
lines: define(`confCACERT_PATH’, `/etc/mail/certs/’)dnl
define(`confCACERT’, `/etc/mail/certs/cacert.pem’)dnl
define(`confSERVER_CERT’, `/etc/mail/certs/cert.pem’)dnl
define(`confSERVER_KEY’, `/etc/mail/certs/key.pem’)dnl
define(`confCLIENT_CERT’, `/etc/mail/certs/cert.pem’)dnl
define(`confCLIENT_KEY’, `/etc/mail/certs/key.pem’)dnl 6. Backup and regenerate /etc/mail/sendmail.cf: cd /etc/mail
cp sendmail.cf sendmail.cf.bak
cd /usr/src/sendmail-8.12.7/cf/cf
./Build sendmail.cf
./Build install-cf 7. Now you have to create three files: cacert.pem (CA certificate), cert.pem
(x.509 certificate, signed by CA) and key.pem (x.509 private key). This is
how you do this: cd /usr/local/ssl/certs
../misc/CA.pl -newca
../misc/CA.pl -newreq-nodes
../misc/CA.pl -sign
mkdir /etc/mail/certs
cp demoCA/cacert.pem /etc/mail/certs
cp newreq.pem /etc/mail/certs/key.pem
cp newcert.pem /etc/mail/certs/cert.pem
chmod 400 /etc/mail/certs/key.pem When the command ‘CA.pl -newca’ asks for a Common Name, fill in the name of
your organization. When the command ‘CA.pl -newreq-nodes’ asks for a Common
Name, you must enter the hostname of your smtp server and it must be the
same name as your smtp-server field on the mailclient, e.g. smtp.domain.nl. 8. Restart sendmail : kill `head -1 /var/run/sendmail.pid`
/usr/sbin/sendmail -L sm-mta -bd -q30m
telnet localhost 25 9. Check if sendmail supports STARTTLS. Issue a ‘EHLO localhost’ command.
You should see a line 250-STARTTLS: root@server:/# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 server.pc184.nl ESMTP Sendmail 8.12.7/8.12.7; Wed, 19 Feb 2003
10:59:57 +0100
EHLO localhost
250-server.pc184.nl Hello root@localhost [127.0.0.1], pleased to meet
you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP Check your logfiles if you don’t see it (increase LogLevel to 14 in your
sendmail.cf). So far for the server side setup.
STEP 2: Client side setup: The next step is to configure your mailclients for SSL smtp connection and
install the client personal and root certificates on them. If you don’t
install these certificates, the client will complain that it cannot verify
the server certificate. This is normal, because you are using a self signed
servercertificate. You do not have this problem if you are buying a
certificate from a trusted provider. For Outlook Express 6 e.g., you wil see this warning: “The server you are connected to is using a security certificate that could
not be verified. A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.” This is how you create your client certificate: cd /usr/local/ssl/certs
../misc/CA.pl -pkcs12 It will create a file newcert.p12 that you can import in your client. You
will have to fill in a password, that the client have to use when he imports
the newcert.p12 file, so don’t use the same as you have used earlier. — For Outlook Express 6 you can follow these steps: 1. Copy the file newcert.p12 to a directory on your Windows client and
rightclick on it. 2. Choose install PFX and follow instructions. It will install a personal
and a root certificate. That’s great. You can check it in Explorer >
Internet Options. 3. In Outlook, turn on the SSL option for your outgoing mailserver. — For Netscape Messenger 4.7 you can follow these steps: 1. Start Messenger, click on the little lock on the bottom left corner. 2. Choose Certificates > Yours > Import a certificate 3. Import the file newcert.p12. 4. Click on Signers, select your CAcert, and edit it to enable all features. 5. Click on Yours, select your personal cert, and click Verify. You
should get “successfuly verified”. 6. Enable Secure SMTP in Messenger config. Now send a mail to yourself and check the message source. It must contain a
Received header with SSL information. You can also check your sendmail log.
If you see Verify=OK, then the server verified the presented client
certificate as OK. If you see Verify=NO, then the client didn’t present a
certificate and you are probably using Outlook Express. This is what I found
on the Internet: Outlook Express as of Internet Explorer 5 will work, but it
will not present any client certificate. So you can encrypt your email
transfer but you cannot authenticate (and relay) with client certificates
(source:
http://www.aet.tu-cottbus.de/personen/j … /test.html). Post
a follow-up for comments on this. I get Verify=OK with Netscape Messenger 4.7 and Verify=NO with Outlook
Express 6.
STEP 3: Allow relaying based on client certificate: The last step is to allow relaying based on a trusted client certificate.
This is very useful, because your client can then send mail to you
mailserver, independent of his IP. It only works if the server can verify
the client (Verify must be OK). Do the following: 1. Open your sendmail logfile and search for the “cert-issuer” field that
came from your client. 2. Copy the content of this field to your access database file (probably
/etc/mail/access_map, see also http://www.sendmail.org/m4/anti_spam.html)
and insert CERTISSUER: and RELAY, like this:
CERTISSUER:/C=NL/ST=SomeState/L=SomePlace/O=SomeOrg/CN=SomeOrg/emailAddress=
SomeEmail RELAY 3. Create database map: makemap hash access_map because you want to relay. You can use [email protected]. It will bounce your
mail and you can check all headers. Remember that this does this setup only
provide a secure transmission from sender to mailserver. Your mail will
probably go unsecure from there. Now, that’s it. I hope this document is usefull and correct, don’t mail me
for suggestion/corrections but please follow-up to this post. You can find more information on: http://www.sendmail.org
http://www.openssl.org
http://www.sendmail.org/~ca/email/starttls.html
http://www.linuxjournal.com/article.php?sid=4823
http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml]]>

Removing Version Information From Services

http://www.security-forums.com/viewtopi … ht=#129555
Displaying service version information might look cool, but it is definately not a good idea. There are numerous malicious folks out there that will use this version information to search for the proper exploits to gain access to your machine. Retrieving version information for a running service is very simple. A simple telnet to the service will do the trick. Try it out on your local SMTP server. Wait for a zero-day exploit for that specific service and *bang* you own it…. or you are owned. Without the service version information, the bad guy can only guess, and will have to try multiple times, possibly revealing himself. This, in a way, will buy time and prevent certain bad things from happening, but it doesn’t say you no longer require to update the services when they are vulnerable. This document describe the modifications which need to be made to remove version information from services like OpenSSH, sendmail, etc. Some of these require simple modifications to a configuration-file, while others need to have some source-code modified. It will focus on the following services: * OpenSSH (ssh)
* Sendmail (smtp)
* UW ipopd imapd (pop2, pop3 and imap)
* Apache 1.3 (http/https)
* Apache 2.0 (http/https)
* PHP4
* mod_ssl (https)
* Bahamut IRCd Possibly more will be added. If you feel something is missing or you have any other useful additions to this document, just drop me a line. OpenSSH
Modifying the version of this open source SSH implementation has become quite simple. Within the source-tree of OpenSSH locate the following file:
Code: openssh-3.x/version.h
This will say something like this:
Code: #define SSH_VERSION “OpenSSH_3.x” This value be changed into anything of your liking:
Code: #define SSH_VERSION “SSH_x.x” Recompile and reinstall the binaries, making proper precautions not to lock yourself out if logged through the service you want to upgrade. Telnet to the port 22 to check out your brand new banner.
Sendmail
Sendmail doesn’t require no modifications to source-code whatsoever. A facility for modifying the banner is present in the configuration-file (sendmail.cf). Open the file /etc/mail/sendmail.cf (or another location, depending on your distribution or how you installed it). There is a good chance the option is already in there, but commented out:
Code: #O SmtpGreetingMessage=$j Sendmail 9.x.x / 8.x.x; $b The $j will be repaced by the status-code and server identification (i.e. “220 smtp.domain.com ESMTP”). Some mail-clients require this; a server-error might occur otherwise. The $b will be replace by the built-date. You could change this to:
Code: O SmtpGreetingMessage=$j Mailserver; Thu, 1 Jan 1970 01:00:00 Restart the sendmail daemons and you are ready to go. Telnet to port 25 to see your new banner.
UW ipopd / imapd
These are part of PINE, and deliver POP2, POP3 and IMAP services. To strip version information from these, the source-code needs to be modified. Within the PINE source-tree locate the following files:
Code: pine4.xx/imap/ipopd/ipop2d.c
pine4.xx/imap/ipopd/ipop3d.c
pine4.xx/imap/imapd/imapd.c Modifying these is quite straight-forward. In all these files there is a line which says:
Code: char *version = “2003.xx”; This can be changed into anything you want:
Code: char *version = “a.b”; Recompile and install the binaries into their required location and you are ready to go. Note that these services could be in use, so the operating system might refuse to overwrite them. Kill the services and retry.
Apache 1.3
For Apache 1.3.x you need to locate the following file within the Apache source-tree:
Code: apache-1.3.x/src/include/httpd.h In that file, locate the lines that say something like this:
Code: #define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.29” This can be changed into anything you want:
Code: #define AP_SERVER_BASEPRODUCT “Webserver”
#define SERVER_BASEREVISION “a.b.c” Recompile the server and install the binaries. Note that, for different modules that add version information (like PHP and mod_perl) you have to modify those as well. Look below for how to remove it from PHP4.
Apache 2.0
For Apache 2.0.x you need to locate the following file within the Apache source-tree:
Code: httpd-2.0.x/httpd/include/ap_release.h In that file, locate the lines that say:
Code: #define AP_SERVER_BASEPRODUCT “Apache”
#define AP_SERVER_MAJORVERSION “2”
#define AP_SERVER_MINORVERSION “0”
#define AP_SERVER_PATCHLEVEL “47” Modify these into anything you want.
Code: #define AP_SERVER_BASEPRODUCT “Webserver”
#define AP_SERVER_MAJORVERSION “a”
#define AP_SERVER_MINORVERSION “b”
#define AP_SERVER_PATCHLEVEL “c” Recompile the server and install the binaries. Telnet to port 80 to do a simple GET / request to see your brand new service banner.
PHP4
Changing the version information for PHP4 requires modifications to source-code as well. If you have not yet compiled it, skip some paragraphs. If you have already configured and compiled it, locate the following file:
Code: php-4.x.x/main/php_version.h
Locate the line:
Code: #define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 3
#define PHP_RELEASE_VERSION 5
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.3.5”
The MAJOR, MINOR and RELEASE are numbers. Too bad. Modify it to something like this:
Code: #define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 0
#define PHP_RELEASE_VERSION 0
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.X.X”
Remove the following files:
Code: main/main.o
main/main.lo
sapi/sapi_apache.lo
sapi/sapi_apache.o
sapi/php_apache.lo
sapi/php_apache.o
sapi/mod_php4.lo
libs/libphp4.so
libs/libphp4.a
libphp4.a
Do a make install-sapi. This will re-compile the necessary stuff and install it. If you have not yet compiled PHP4, within the PHP4 source-tree locate the following file:
Code: php-4.x.x/configure.in
Locate the following lines:
Code: MAJOR_VERSION=4
MINOR_VERSION=2
RELEASE_VERSION=5
EXTRA_VERSION=”RC1″
VERSION=”$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION”
The problem here is the versions are numbers, not strings. Only the VERSION string is. It could however be changed to something like this:
Code: MAJOR_VERSION=4
MINOR_VERSION=0
RELEASE_VERSION=0
EXTRA_VERSION=””
VERSION=”4.X.X”
Compile and install as regular and your new banner will be in effect. mod_ssl
Just like PHP4, mod_ssl also adds some version information to the Webserver banner. Also, if you have version-patched Apache, the configure script that came with mod_ssl will fail, because the version-check fails. It will output an error like ‘This was meant for Apache 1.3.29, but you have got Apache a.b.c.”. To fix this, open the `configure’ script and search for APV a couple of times. When you see the ‘This was meant for Apache 1.3.29’ error, you are there. Just above the “if” insert the following line:
Code: APV=”1.3.29″ This will fool mod_ssl into thinking it’s ok, and apply the patches. OK, on to removing version information from mod_ssl. After applying the patches to the Apache source-tree, locate the following file:
Code: apache-1.3.x/src/modules/ssl/Makefile Look for these lines:
Code: SSL_VERSION=-DMOD_SSL_VERSION=\”2.8.15\” Modify them to something like this:
Code: SSL_VERSION=-DMOD_SSL_VERSION=\”2.x.x\” -DSSL_PRODUCT_NAME=\”SSL\” -DSSL_PRODUCT_VERSION=\”a.b.c\” Then, locate this file:
Code: apache-1.3.x/src/modules/ssl/ssl_util_ssl.h Locate these lines:
Code: #define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME “OpenSSL”
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_NUMBER Change them into something like this:
Code: #define SSL_LIBRARY_NAME “SSL”
#define SSL_LIBRARY_TEXT “SSL/x.x.x” Do a make all in the src/modules/ssl directory to compile only mod_ssl. Install the binaries by copying libssl.so into your ${APACHEROOT}/libexec directory. Then, restart your webserver for the new banner to take effect. Check ‘m out with a simple GET / request..
Bahamut IRCd
To remove the version information from the Bahamut IRC daemon, within the source-tree, locate the following file:
Code: src/s_user.c Locate the line that uses the RPL_YOURHOST define in the sendto_one( )-call (somewhere around line 855/860). The RPL_YOURHOST is a define defining a formatting string that says something like “Hi there, . This machine is running Code: sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), version ); ..into something like this:
Code: sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), “ircd-1.X” ); Edit
2004-04-27; Updated stuff for Apache 1.3.29 / PHP 4.3.5, and removed some typo’s.
2003-11-16; Added the Bahamut IRC daemon hack.
2003-10-05; Added a *working* PHP4 hack.
2003-10-05; Added mod_ssl hack.
_________________
It was fun while it lasted…. Last edited by hugo on Tue Apr 27, 2004 11:59 am; edited 3 times in total
Back to top
View user’s profile Send private message
Dunceor
Frequent Member
Frequent Member
Joined: 05 Sep 2003
Posts: 219
Location: Sweden Offline PostPosted: Sun Oct 05, 2003 6:51 pm Post subject: Reply with quote
Well it’s always good to do more stuff so crackers get it tougher to get into your system but some people think that it’s enough just to change the banner of the program and they are safe. dont go down that line..
Security by obscurity is a bad thing. Otherwise a good text…. /me goes and change some banners…
_________________
http://www.puffy.nu/~dunceor
Back to top
View user’s profile Send private message Visit poster’s website
Weaver
Regular Member
Regular Member
Joined: 04 Jan 2003
Posts: 80
Location: WI, USA Offline PostPosted: Wed Oct 08, 2003 11:31 pm Post subject: Reply with quote
I noticed you didn’t have one for qmail… Props to DJB for a great MTA. -Weaver
_________________
“Great spirits have always encountered violent opposition from mediocre minds.”
Back to top
View user’s profile Send private message AIM Address
fsb
Frequent Member
Frequent Member
Joined: 08 May 2003
Posts: 117
Offline PostPosted: Thu Oct 09, 2003 1:39 am Post subject: Reply with quote
I wish I had read that when removing the banners from my server a few months ago. It would have saved hours of cursing. Thanks all the same Hugo, I knew there was a reason you had root on my box.
Back to top
View user’s profile Send private message
z0ulsh1ne
Just Arrived
Just Arrived
Joined: 03 Jul 2003
Posts: 2
Offline PostPosted: Tue Oct 28, 2003 12:12 am Post subject: Reply with quote
Hi there,
I have tried changing the banner of my proftpd with:
ServerIdent on “Welcome home”
or
ServerIdent off
in my /etc/proftpd.conf – works both fine.
When i connect it shows no more proftp information.
But nmaping still says:
21/tcp open ftp ProFTPD 1.2.8
I know nmap does more tests on a server than just looking at the banner, but how could I hide my version from nmap? nice day
z0ulsh1ne ps: wow what a board, reading reading reading learning Very Happy
Back to top
View user’s profile Send private message
ICQ Number
Sgt_B
Trusted SFDC Member
Trusted SFDC Member
Joined: 28 Oct 2002
Posts: 1120
Location: Chicago,IL US Offline PostPosted: Tue Oct 28, 2003 5:18 pm Post subject: Reply with quote
Good read hugo! Thanks! Smile There’s another way to modify Apache banner’s w/o editing source code. Some of you may be uncomfortable editing source code, or don’t have the time or window of opportunity to recompile. In this case you could use the ServerTokens directive in httpd.conf. While this method is very useful it is not as good as hugo’s. Using ServerTokens at its “highest” setting will still show the server type during a banner grab (Apache). This may be acceptable since it also removes any mod banners as well. Still, for full obscurity, you may want to use hugo’s suggestion (combined with ServerTokens maybe?)
Quote: ServerTokens directive
Syntax: ServerTokens Minimal|ProductOnly|OS|Full
Default: ServerTokens Full
Context: server config
Status: core
Compatibility: ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules. ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis. http://httpd.apache.org/docs/mod/core.html#servertokens
_________________
“All that is necessary for the triumph of evil is that good men do nothing.” –Edmund Burke (1729 – 1797)
Back to top
View user’s profile Send private message Send e-mail
vlad902
Frequent Member
Frequent Member
Joined: 04 Jan 2003
Posts: 162
Offline PostPosted: Tue Oct 28, 2003 8:03 pm Post subject: Reply with quote
FYI for postfix in main.cf it has a line like: $smptd_banner = $mydomain ESMTP $mailversion (or something like that). So I’d just change it to: $smptd_banner = $mydomain SMTP Sendmail 1.7.4 (Windows 98^H^H2000) Laughing Laughing
Back to top
View user’s profile Send private message
uslacker99
Just Arrived
Just Arrived
Joined: 30 Sep 2004
Posts: 1
Online PostPosted: Thu Sep 30, 2004 8:56 am Post subject: sendmail version –> greeting may not be enough Reply with quote Edit/Delete this post Delete this post
If you’re really paranoid, you will want to:
cat /dev/null /etc/mail/sendmail.hf
or to whatever file your helpfile is set to in /etc/mail/sendmail.cf. That way, when someone connects to your server and types help, he doesn’t see your version.]]>

Windows security – Access denied for Administrator!

In the Windows world, no access means no access! It’s something I’m not used to – you can actually disallow read/write access to Administrator in Windows! Of course, since you’re Administrator, you can always add it, but if you don’t have it set, you won’t be able to read/write your files! So funny huh? Well, for the seasoned Windows admins, you probably already know this. For the folks that are used to the Unix world where root is God, we all didn’t know it. Of course, Trusted Solaris might have something like 2 roots or something, but for the typical guys, it’s something new.

China’s Internet censorship

The workaround that I’ve provided to one of my friends is to just modify their windows hosts file to fix this. Here are the steps: 1) Find the current IP for shocknetwork.dyndns.org by going to:
http://www.dnsstuff.com/tools/lookup.ch … org&type=A On the page, you’ll see something like:
shocknetwork.dyndns.org. A IN 60 68.183.64.29 The number there (68.183.64.29) is the current IP address. 2) Open the hosts file by running:
notepad c:\windows\system32\drivers\etc\hosts
or
notepad c:\winnt\system32\drivers\etc\hosts At the beginning of the file, it should say something like this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. 3) At the bottom of the file, add the line:
68.183.64.29 wilma http://www.shocknetwork.com images.shocknetwork.com chunli.shocknetwork.com shocknetwork.com shocknetwork.dyndns.org The number there (68.183.64.29) if the number is different from what’s on the page. That’s it.]]>

VMware – migrating virtual disk from GSX to ESX

Here are the steps for importing a GSX VM to ESX:

1) Here’s how to convert the vmdk file into 2gb chunks:

vmware-vdiskmanager -r sourceDisk.vmdk -t 0 targetDisk.vmdk

2) Share the folder of the new targetDisk with Windows.

3) Make temp directory and mount Windows shared folder on the ESX server:

a) mkdir /mnt/tempwindowsmountpoint

b) mount -t smbfs -o username //gsxserver/sharename /mnt/tempwindowsmountpoint

4) Import vmdk

vmkfstools -i /mnt/tempwindowsmountpoint/targetDisk.vmdk /vmfs/vmfs/newtargetDisk.vmdk

5) Create new VM in ESX and point to the newtargetDisk.vmdk

6) Start up new VM.

Regards,

Alton

Sendmail routing through Microsoft Active Directory

Sendmail routing through Microsoft Active Directory

To give credit where credit is due, the attachment was sent to me from Randy Fox from csgsystems. There’s one bug with public folders. The workaround is to create a mailing list by the same name and make the public folder a member of the list.

If you’re reading this, you are probably running a Microsoft Exchange
Server or probably currently already have sendmail relaying to an Exchange
Server and want to improve your setup.

Most sendmail to exchange setups will take mail and blindly relay the mail
over. If yours is like this, you will know that you get email bounces that
can go nowhere because most of the initial intentions of the emails were
for spam and they would just send messages to users that they don’t know
even exist. A major problem with this is that it will hold up your sendmail
queue and hinder your performance as it will try to send these emails just
as much as the ones that are important and need to be sent out immediately.
This article will show you how to use sendmail’s ldap features to look into
the Active Directory to see where the mail should go and have sendmail send
it there. By having sendmail look into the Active Directory, it will know
whether users exist and will stop immediately after the “RCPT TO” in the
envelope if users don’t exist, eliminating the useless, bounce emails that
never get anywhere.

This procedure is not fully supported by Sun support because of the amount
of customization required.

First off, you will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.8+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don’t.

The Microsoft Active Directory is a different ldap server than your typical
ldap server, so you will want to browse the directory and learn more about
how it’s designed. You will need to find or create a user that can browse
the Active Directory.

For the sake of simplicity, this example will use the Administrator userid
and his password to bind to the Active Directory server and find view its
contents.

For Solaris 8-9, if you have the SUNWlldap package installed, you can use
the ldapsearch command located /usr/bin. Run something like:

/usr/bin/ldapsearch -L -D “cn=Administrator, cn=Users, dc=domain, dc=com” \
-h domaincontroller.domain.com -b “dc=domain,dc=com” objectclass=* \
> /tmp/active_directory.ldif

It will ask you for a password. You want to input the Windows
Administrator’s password there. You can open the /tmp/active_directory.ldif
file and read it and you can find a lot of the information in the directory
server.

If you do not have the ldapsearch command, while logged in as Administrator
on the Exchange server, you can achieve a similar result in Windows with

ldifde -f c:\temp\export.ldif -v

Upon knowing what’s in the Active Directory, you can proceed to plug this
data into your sendmail configuration.

Because the Active Directory is a little different from your standard ldap
server, some hacks are required to make sendmail work.

You want to go into your /usr/lib/mail/hack directory. You can create it if
the directory isn’t there. (The files are attached.) In there, you want to create a file called
AD_ldap_routing.m4 and inside of it have:

divert(-1)
#
# Copyright (c) 1999-2001 Sendmail, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

divert(0)
VERSIONID(`$Id: ldap_routing.m4,v 8.8 2001/06/27 21:46:31 gshapiro Exp $')
divert(-1)

# Check first two arguments. If they aren't set, may need to warn in proto.m4
ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')
ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')

# Check for third argument to indicate how to deal with non-existant
# LDAP records
ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 `define(`_LDAP_ROUTING_', `_MUST_EXIST_')')

# Check for fouth argument to indicate how to deal with +detail info
ifelse(len(X`'_ARG4_), `1', `',
 _ARG4_, `strip', `define(`_LDAP_ROUTE_DETAIL_', `_STRIP_')',
 _ARG4_, `preserve', `define(`_LDAP_ROUTE_DETAIL_', `_PRESERVE_')')

LOCAL_CONFIG
# LDAP routing maps
Kldapmh ifelse(len(X`'_ARG1_), `1',
 `ldap -1 -v msExchHomeServerName,msExchExpansionServerName -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG1_')

Kldapmra ifelse(len(X`'_ARG2_), `1',
 `ldap -1 -v targetAddress -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG2_')

The next step is to make the modifications to your .mc file.

The first feature we should add is a mailertable to tell sendmail where to
send mail with different ldapsearch results.

So we add the line:
FEATURE(`mailertable’)

To add the ldap features into sendmail. Add the lines (of course, you put
in your domains):
HACK(`AD_ldap_routing')
LDAPROUTE_DOMAIN(`domain.com')dnl # what domain to do ldap lookups for.
LDAPROUTE_DOMAIN(`secondarydomain.com')dnl # alternate domain to do ldap lookups for.

You then need to specify your Active Directory settings (this all fits on
one line). You will also need to create the file /etc/mail/ldap.passwd. (We
will do this later)

define(`confLDAP_DEFAULT_SPEC',`-h domaincontroller.domain.com -M simple -d "cn=Administrator, cn=Users, dc=domain, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain, dc=com"')

We will now have to add some custom rulesets. There’s also one line you need to change here:

R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

Make it match your organzation. You can find this by looking at your
active_directory.ldif file and seeing
the msExchHomeServerName attribute. Every user entry should have something
like:

msExchHomeServerName: /o=Domain/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=domaincontroller

With that, you just strip off the last cn= and make spaces in between.

LOCAL_NET_CONFIG
R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . > $3 internal addr delivered to host
R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 . > $4 internal w/host

# Begin custom LDAP rule set.
# the following lines are essentually copied from the proto.m4 file. They are entered here to maintain the proper,
# original flow control but process the Active Directory response properly.
# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name

# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 [email protected]

# handle locally delivered names
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names

SLDAPExpand
#do the LDAP lookup for the Exchange Mail Host
R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3>

# if mailRoutingAddress (targetAddress) and local or non-existant mailHost,
# return the new mailRoutingAddress
R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1
R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1

# fix hostname in Mailertable, relay from there
R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1

# if no mailRoutingAddress and local mailHost,
# return original address
R<> <$=w> <$+> <$+> <$*> $@ $2

# if no mailRoutingAddress and non-local mailHost,
# relay to mailHost (Exchange Server) with original address
# "de-AD" response at same time
# You'll need to do the query manually the find the proper stuff to pull out
R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

# if still no mailRoutingAddress and no mailHost,
# try @domain
R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4>

# if no mailRoutingAddress and no mailHost and this was a domain attempt,
# return the original address
R<> <> <$+> <@ $+> <$*> $@ $1
# End of custom LDAPExpand rule set

You now want to create your cf file.

/usr/ccs/bin/m4 ../m4/cf.m4 file.mc > file.cf

Now that we’re done with the cf file, we need to supply the other files to
the configuration.
Create the ldap.passwd file:
echo “activedirectorypassword” > /etc/mail/ldap.passwd

Create the mailertable to tell sendmail where to send the mail. When we
stripped the last cn= off of the msExchHomeServerName, we will take that
and put it here. So my /etc/mail/mailertable will look like:
cn=domaincontroller esmtp:exchangeserver.domain.com

After you create this file, you will need to put it in the database for
sendmail to read it. Do this by running the command:
makemap -v hash /etc/mail/mailertable < /etc/mail/mailertable

You will also need to tell sendmail that you take mail for the domain as
well, so you want to put your domain in /etc/mail/local-host-names.
echo “domain.com” > /etc/mail/local-host-names

Now we will need to restart sendmail and test it. Run a command like this
for a user in the Active Directory:
/usr/lib/sendmail -bv [email protected]

You should see: [email protected]… deliverable: mailer esmtp, host
domaincontroller.domain.com, user [email protected]

If you run the same command on a user that’s not in the Active Directory,
you should get:
/usr/lib/sendmail -bv [email protected]
[email protected]… User unknown

Once you’ve got this, you’re all set!

————————————————————————————————————-
Some ideas on troubleshooting:

If you see
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer relay, host cn=exchangeserver, user
[email protected]

You probably forgot the mailertable. The mailertable translates the cn=host
to the actual host and tells it which protocol to use to send the mail. In
our case, we use esmtp.

If you see something like this:
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer esmtp, host domain.com., user
>/o=domain/ou=First.Administrative.Group/cn=Configuration/cn=Servers/[email protected]@domain.com<

You have the wrong data in the area where it says:
# relay to mailHost (Exchange Server) with original address
# “de-AD” response at same time
in the sendmail.mc file.

 

Because it’s hard to read the .mc file stuff in the text, you can download the files here: AD_Routing.tar

How to share Windows to Linux (mount Windows share)

1) Create the Windows share on the Windows box.
2) Log into linux as root. Then type “smbclient -L
You’ll get some output like this:
# smbclient -L 10.16.8.210
added interface ip=10.16.80.1 bcast=10.16.95.255 nmask=255.255.240.0
Password:
Anonymous login successful
Domain=[OFFICE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment
——— —- ——-
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
shareddocs Disk
tmp Disk Temporary file space 3) With this, you’ll have the share names.
4) To mount, you can run:
mount -t smbfs -o username=nobody,password=”” //10.16.8.210/tmp /mnt
5) ls -l /mnt
You should see the files there.]]>