Thursday, September 29, 2016

How to rename your Spacewalk Server

This will also fix an error message if you are getting a certificate name error from your spacewalk clients.  This will cause the repos to show 0 packages even though spacewalk reports there are 1,000s of packages in the repo.  Other error messages "The SSL certificate failed verification."

On your spacewalk server you can check the cert:

openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem

You can also verify if your server name matches the certificate name by running the spacewalk rename script.

Before running the command, you need to install the spacewalk-utils

yum spacewalk-utils

spacewalk-hostname-rename x.x.x.x

The Xs are your servers IP.  It'll tell you the name it is reading.  Compare that to the file in /root/ssl-build/rhn-ca-openssl.cnf.  You are looking for cn=.

Now assuming that names don't match or you want to change your server name:

RHEL 7
hostnamectl set-hostname newservername

RHEL6
hostname newname

vim /etc/sysconfig/network

Now verify the new name is working

hostname

Now we need to create new certs.

rhn-ssl-tool --gen-ca --force

rhn-ssl-tool --gen-server

Now you need to install the new certs.

rpm -ivh --force ~/ssl-build/spacewalk/rhn-org-httpd-ssl-key-pair-spacewalk-1.0-2.noarch.rpm

Copy the new files to the apache folder so the clients can access it

cp ~/ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm /var/www/html/pub/

chown apache /var/www/html/pub/rhn-*

Note:  The rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm changed on me.  The original was 1.0-1.

Now even though it's showing everything is right the spacewalk rename tool won't work until you reboot.  So reboot and then run:

spacewalk-hostname-rename x.x.x.x

Then do like you would normally:

rpm -Uvh http://servername.domain.com/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm --force

Note: Notice that I added the --force argument

rhnreg_ks --serverUrl=https://servername.domain.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-activationkeyname

Note: If the system is already registered, you must add --force to the rhnreg_ks command.

Monday, September 26, 2016

Error: /usr/lib64/python2.6/site-packages/pycurl.so: undefined symbol: CRYPTO_set_locking_callback

This error messages gets thrown when I run ANY yum command.  After lots of googling and finding nothing I stumbled upon part of the solution (First Link Below).

The page pointed out a system variable "LD_LIBRARY_PATH".  This variable was not set on working machines but it WAS set on machines that had Matlab installed.

I believe matlab must set this for root account which breaks yum.  Here is how I fixed it.  There was a user named matlab_user already created so I just moved the value to the user's bash profile.

This is for the root account
echo "export LD_LIBRARY_PATH=" >> /root/.bashrc
cat /root/.bashrc

This is for the matlab_user
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/MATLAB/MATLAB_Runtime/v81/runtime/glnxa64:/opt/MATLAB/MATLAB_Runtime/v81/bin/glnxa64:/opt/MATLAB/MATLAB_Runtime/v81/sys/os/glnxa64:/opt/MATLAB/MATLAB_Runtime/v81/sys/java/jre/glnxa64/jre/lib/amd64/native_threads:/opt/MATLAB/MATLAB_Runtime/v81/sys/java/jre/glnxa64/jre/lib/amd64/server:/opt/MATLAB/MATLAB_Runtime/v81/sys/java/jre/glnxa64/jre/lib/amd64:/opt/MATLAB/MATLAB_Runtime/v84/runtime/glnxa64:/opt/MATLAB/MATLAB_Runtime/v84/bin/glnxa64:/opt/MATLAB/MATLAB_Runtime/v84/sys/os/glnxa64:/opt/MATLAB/MATLAB_Runtime/v85/runtime/glnxa64:/opt/MATLAB/MATLAB_Runtime/v85/bin/glnxa64:/opt/MATLAB/MATLAB_Runtime/v85/sys/os/glnxa64" >> /home/matlab_user/.bashrc

cat /home/matlab_user/.bashrc

Source:  Link

Fixing Nessus Finding Remote Desktop Protocol Network Level Authentication through GPO

How to fix the Nessus Finding Remote Desktop Protocol Network Level Authentication through GPO.

Click Start -> Control Panel -> Administrative Tools -> Group Policy Management

Step 1:

Open Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security ->

Require User Authentication for Remote Connections by Using Network Level Authentication -> Enabled

Set Client Connection Encryption Level - > Enabled
Encryption Level: High Level

Fixing Nessus POODLE Finding through GPO

How to fix the  Nessus POODLE Finding through GPO.

Click Start -> Control Panel -> Administrative Tools -> Group Policy Management

Step 1:

Open Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer - > Internet Control Panel -> Advanced Page -> Turn off Encryption support -> Enabled

Should be set to:  User TLS 1.0, TLS 1.1, and TLS 1.2

Step 2:

Click Computer Configuration -> Preferences -> Windows Settings -> Registry -> Right Click, New Registry Item.

Reg Item 1:

Action: Update
Hive: HKLM
Key Path: SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
Value Name: Enabled
Value Type: REG_DWORD
Value Data: 0

Reg Item 2:

Action: Update
Hive: HKLM
Key Path: SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Value Name: Enabled
Value Type: REG_DWORD
Value Data: 0

Fixing Microsoft Security Bulletin MS15-124 Finding in Nessus

How to fix the Microsoft Security Bulletin MS15-124 Finding in Nessus.

Click Start -> Control Panel -> Administrative Tools -> Group Policy Management

Click Computer Configuration -> Preferences -> Windows Settings -> Registry -> Right Click, New Registry Item.

Reg Item 1:

Action: Update
Hive: HKLM
Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Value Name: iexplore.exe
Value Type: REG_DWORD
Value Data: 1

Reg Item 2:

Action: Update
Hive: HKLM
Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Value Name: iexplore.exe
Value Type: REG_DWORD
Value Data: 1

Nessus Finding: Hardened UNC Path through a GPO

How to fix the Nessus Hardened UNC Path finding.

Click Start -> Control Panel -> Administrative Tools -> Group Policy Management

Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Provider -> Hardened UNC Paths -> Set to Enable

Scroll down and click show.  Enter the following:

Working SSSD Config for RHEL 6.8/CentOS 6.8

Now I want to note that I have not tried this from a clean install. This is my notes from when I was switching over from samba/winbind which is why you'll see some mentions of having to copy paste things a second time or having to restart extra times. They may be optional.

Optional:
Leave old domain, sync time.
ntpdate -u dc01.domain.com
net ads leave domain.com -U username

Optional:
There was an issue with the previous version installed, had to remove before installing anything else.
yum remove libipa_hbac -y


Step 1: Install SSSD, Authconfig, SSSD Tools, ADCLI, and KRB5 Workstation
yum install sssd authconfig sssd-tools adcli krb5-workstation -y

Step 2: Configure KRB, Samba, and SSD ****** CASE MATTERS !!!!!!!! ******
echo y | cp /etc/krb5.conf /etc/krb5.conf.bak

echo "[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.COM = {
kdc = DC01.DOMAIN.COM
admin_server = DC01.DOMAIN.COM
kdc = X.X.X.X
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM" > /etc/krb5.conf
 
echo y |cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

echo "[global]
workgroup = DOMAINN
client signing = yes
#client user spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
password server = DC01.DOMAIN.COM
realm = DOMAIN.COM
security = ADS" > /etc/samba/smb.conf

echo y | cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak

echo "[sssd]
config_file_version = 2
services = nss, pam, autofs, ssh, autofs
domains = DOMAIN.COM
#default_domain_suffix = DOMAIN.COM

[nss]
filter_users = root,ldap,named

[domain/DOMAIN.COM]
id_provider = ad
ad_server = dc01.domain.com
ad_backup_server = dc02.domain.com
ad_domain = domain.com
krb5_realm = DOMAIN.COM
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = true

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5


[autofs]" > /etc/sssd/sssd.conf

Step 3 Restart the services:
service smb restart; service winbind restart; service sssd restart;

Step 3: Test to see if all the config files are working
kinit username

Type in password, if it comes back with no response it worked.
You can check this by typing
klist

If you get an error, something is wrong in the config or your password is wrong.

Step 4: Configure PAM Modules, Join Domain
authconfig --update --enablesssd --enablesssdauth

service smb restart; service winbind restart; service sssd restart;

adcli join domain.com -U user -v

Verify everything in the nssswitch file got updated. Should be files sss.
cat /etc/nsswitch.conf

Should look like this:
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

Step 5: Restart services, Print out AD Users, Print out AD Groups, Check ID for test User
service smb restart; service winbind restart; service sssd restart;
getent passwd

getent group

id username

Step 6: Test login
ssh username@127.0.0.1

****IF getent doesn't show anything but ID works, restart the services again, check again *****
service smb restart; service winbind restart; service sssd restart;


If you want to limit login based on groups, check out /etc/security/access.conf
echo "+ : group1 "group 2" jsmith root : ALL
- : ALL : ALL" >> /etc/security/access.conf

Sudo based on groups
echo "%admin ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers 

pam_sss(xxx:auth): received for user jsmith: 4 (System error) SSSD CentOS 6.7/RHEL 6.7

This error is very generic and I found out that it really could be many different things. Luckily every time it got fixed my doing the same thing.
Step 1: Determine if it is truly connected to the domain.
net ads leave domain.local -U jsmith.adm
No realm set, are we joined ?

Step 2: Retry joining domain
net ads join domain.local -U jsmith.adm

I've seen the following error:
libnet_join_ok: failed to get schannel session key from server dc.domain.local for domain DOMAIN. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT

Failed to join domain: failed to verify domain membership after joining: No trusted SAM account

Possible Fixes:
Double check the krb5.conf file for typos.
service smb restart; service winbind restart; service sssd restart;

I found another problem was that end users that had sudo access actually changed the ownership of the /tmp directory and while joining the domain, the process was able to create the temp files it needed. Here's how I figured it out.

Edit /etc/sssd/sssd.conf in the [domain] and [pam] sections set the value of: debug_level = 8. Restart sssd and log in again. Now check /var/log/sssd/krb5_child.log.

Here was my findings:
[root@box log]# tail sssd/krb5_child.log
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_569601190_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_use_fast] (0x0100): Not using FAST.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_parent_stat] (0x0020): Private directory can only be created below a directory belonging to root or to [569601190].

(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [create_ccache_dir] (0x0010): Check the ownership and permissions of krb5_ccachedir: [/tmp].

(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_precreate_ccache] (0x0040): ccache creation failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_ccache_setup] (0x0040): Cannot precreate ccache
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [privileged_krb5_setup] (0x0020): k5c_ccache_setup failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): privileged_krb5_setup failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): krb5_child failed!

Another command that help troubleshoot this was:

KRB5_TRACE=/dev/stdout kinit admin

Source: Link Link Link Link Link

Thursday, August 25, 2016

Getting exact URL from mirrorlist in yum

While configuring spacewalk, I ran into the problem that is didn't like using a mirror list. I need the exact url. To get the exact url your system uses do the following:

yumdownloader --urls package-name-that-is-in-the-repo-your-trying-to-get-url-from


Source: Link

Monday, August 15, 2016

Configuring Xrdp in Redhat (RHEL) 7 / CentOS 7

First thing is to install some type of desktop:
yum groupinstall "Gnome Desktop"
You need to install the epel repo. ****(The Next two lines may change if the version is not 7.8)****
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm

rpm -ivh epel-release-7-8.noarch.rpm

yum clean all
yum repolist
Next install VNC and XRDP
yum install tigervnc-server xrdp

cp /etc/pam.d/sshd /etc/pam.d/xrdp-sesman
systemctl restart xrdp
systemctl enable xrdp

cp /lib/systemd/system/vncserver\@.service /etc/systemd/system/vncserver@.service
Orginal:
[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l  -c "/usr/bin/vncserver %i"
PIDFile=/home//.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
I used the root account for testing. Use any account you would like.
Working:
[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l root -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/root/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
I did the above with sed:
sed -i 's/ -c/root -c/g' /etc/systemd/system/vncserver@.service
sed -i 's/vncserver %i/vncserver %i -geometry 1280x1024/g' /etc/systemd/system/vncserver@.service
sed -i 's/\/home\//\/root/g' /etc/systemd/system/vncserver@.service
Reload the services
systemctl daemon-reload
Set the VNC Password
vncpasswd
Start the service and enable it on boot
systemctl start vncserver@:1.service
systemctl enable vncserver@:1.service

ShareThis