leftcase's questions

I'm trying to configure reverse DNS for a sub Class C block. My ISP has delegated 128/25.2.0.192.in-addr.arpa.

I've spent a good few hours reading everything I can find on classless reverse map delegation, but I can't seem to get this working properly in test.

When running dig on the BIND box and requesting 129.128/25.2.0.192.in-addr.arpa, BIND seems to be reporting as authoritative for the 128/25.2.0.192.in-addr.arpa zone, but isn't replying with a PTR record for server1.example.com as I would expect. I'm sure I must be missing something but I seem to be blind to it.

Below, 2.0.192.rev is my zone file, named.conf the zone part of the BIND config and finally the output from dig.

I'd like to confirm that this is the correct approach, if I'm making a mistake, or if there's a better way to do this please?

---------------------------------------------------------------------
2.0.192.rev
---------------------------------------------------------------------
$TTL 4h
$ORIGIN 128/25.2.0.192.in-addr.arpa.
@               IN  SOA  ns1.example.com. hostmaster.example.com. (
                              1144449999 ; serial number
                              3h         ; refresh
                              15m        ; update retry
                              3w         ; expiry
                              3h      ; nx = nxdomain ttl
                              )
                IN  NS          ns1.example.com.
                IN  NS          ns2.example.com.


129             IN  PTR         server1.example.com.
130             IN  PTR         server2.example.com.

---------------------------------------------------------------------
named.conf
---------------------------------------------------------------------
zone "128/25.2.0.192.in-addr.arpa" {
        type master;
        file "2.0.192.rev";
};

---------------------------------------------------------------------
dig @localhost 129.128/25.2.0.192.in-addr.arpa
---------------------------------------------------------------------

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> @localhost 129.128/25.2.0.192.in-addr.arpa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38179
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;129.128/25.2.0.192.in-addr.arpa. IN        A

;; AUTHORITY SECTION:
128/25.2.0.192.in-addr.arpa. 10800 IN SOA   ns1.example.com. hostmaster.example.com. 1144449999 10800 900 1814400 10800

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 28 20:11:39 GMT 2016
;; MSG SIZE  rcvd: 128

When supervising iPad 4 devices running IOS8 using Apple Configurator. What happens if the Mac running Apple Configurator blows up and the backups are lost? I understand that iPads can only be unsupervised using the Mac which originally supervised them.

Is it possible to restore the iPad to factory settings (thus removing the supervision) by putting it into recovery or DFU mode and reflashing IOS or would the iPads become expensive bricks?

I'm trying to get the Windows DDNS update sequence straight in my head. Here's what I think happens:

Windows Client             == DHCP Discover
Windows DHCP Server        == DHCP Offer
Windows Client             == DHCP Request with option 81
                              {Client is requesting DHCP server to register reverse 
                              PTR record and offering to register its own A record}
Windows DHCP Server        == DHCP Acknowledge with option 81
                              {Server agrees and updates the client's PTR record on 
                              the DNS server}
Windows Client             == DHCP client updates A record on DNS server.

What happens when the DHCP server is configured to register DNS A records on the client's behalf whether the client requests this or not? Does the client still attempt to update the DNS server directly?

I'm running a bunch of computers which are pretty locked down with Group Policy (users can do virtually nothing other than browse the net and use Office), and local profiles are deleted from machines at shutdown (delprof2).

Having recently updated the network to Windows 7, I've discovered that the locked down accounts seem to get a classic Windows theme (square start menu etc) rather than the standard Windows 7 Aero style one. I've also discovered that if I log onto one of the PCs using my administrative account, restart it and then log in with the locked down user, subsequent logins of the locked down user get the full new Windows theme as I would expect.

I'm trying to pin down why it is this is happening. I've tried comparing running services, looking at which updates are installed, and tried adding the locked down user to the local admin group (just as a test) to see whether or not this causes the locked down user to be able to start the proper desktop without another administrative user having had to have logged in at some point first (incidentally the locked down user still didn't get the full desktop despite this).

Short of logging onto all of the PCs once with an admin account, I've pretty much hit a block with figuring out what's causing this. Has anybody else seen this kind of thing before?

After having upgraded a Windows Server 2003 Active Directory Domain to Server 2008, and upgraded client PCs from Windows XP to Windows 7, I'm seeing inconsistent dynamic DNS update behaviour.

Two domain controllers also have a DHCP and DNS role. Each DHCP server has the 'DNS dynamic updates registration credentials' setting populated with a user account which is a member of the 'DnsUpdateProxy' group, and (although I've seen arguments for and against) I've added the servers themselves to the 'DnsUpdateProxy' group.

The DHCP servers are configured with the following settings ticked:

'Enable DNS dynamic updates according to the settings below' 'Always dynamically update DNS A and PTR records' 'Discard A and PTR records when a lease is deleted'

Some PCs seem to work fine. They request a DHCP address, and the DHCP server hands them one and updates DNS. If I check the security of the 'A' record created through the dynamic update, the record is owned by the account created for DNS dynamic update registration and populated in the DHCP server.

Some PCs on the other hand appear to register their own 'A' records directly with the DNS server. This results in an 'A' record owned by either 'system' or the PC's AD computer account. When this happens, the 'A' record becomes unwriteable by the DHCP server due to its security settings.

The only way I can think around this, is to give full control of the zone to the account used by the DHCP server to dynamically update the DHCP server. This would then allow it to delete/modify any 'A' record, even those it has not created.

A better way would be to figure out why PCs sometimes register 'A' records instead of the DHCP server.

I'd really appreciate some advice if anyone has come across this before.

I'm trying to test and document a backup and restore procedure for Centos 6. Here's where I'm up to, but there are a few areas where I need a bit of clarity. CentOS backup/restore documentation on the 'net is a bit hit and miss.

General backup and restore plan

• Backup your systems each day using your favourite backup software. I'm not going to go into this in great depth, but let's say you have a proper backup system that allows you to make a backup of one system and restore it to another.

• Smoke and flame engulfs one of your servers! After dealing with the immediate danger you realise that an important system is irreparably damaged. You need to restore it to different hardware.

• Check the backup files. Look at the backup of the failed system's /etc/redhat-release file. Use this to establish which version (patch level) of CentOS the failed system was using? Grab the install media for this version.

• Using the install media, do a minimal install of the Operating System to your replacement hardware, partitioning the disks as appropriate for the system's end use.

• After the minimal system is installed, temporarily disable selinux, echo ‘0’> /selinux/enforce stop iptables, service iptables stop and install your backup client.

• Recover from the backup, excluding the following files from recovery:

/proc
/sys
/tmp
/dev
/var/lock <- don't exclude from restore - see answer
/var/run <- don't exclude from restore - see answer
/var/tmp
/etc/fstab
/etc/mdadm.conf
/etc/mtab
/etc/resolv.conf
/etc/networks
/etc/sysconfig/network*
/etc/sysconfig/kernel
/etc/hosts
/etc/modprobe*
/etc/networkmanager <- to ensure that IP isn't restored - see answer
/etc/udev
/lib/modules
/boot

• When the restore has completed, reboot and watch for errors

• Check that the network configuration is correct. You may need to use system-config-network to make changes to your network settings.

• Some applications like Apache and MySQL may not start correctly after the restore. Because /var/run was excluded from the restore, subfolders like /var/run/httpd won't exist, and so applications won't be able to create PID files properly. You need to restore folders like /var/run/httpd/ and /var/run/mysqld/ and give them the correct permissions. This shouldn't be a problem as long as you don't exclude /var/run and /var/lock from the restore - see answer.

• After completing remedial action ensure applications come up correctly.

• If you're running a MySQL database it may still be OK without you having to restore it from any flatfile backup you may have made. You can check the state of the database by running mysqlcheck -c -u root –p******** --all-databases. If you see any errors run mysqlcheck -c -u root –p******** --all-databases --auto-repair to repair them. You should always ensure that you have a proper backup your database as indicated in the answer below. I personally use mysqldump.

• Patch the system up to the latest level using yum update.

• After rebooting to ensure the system comes back up clearly and thoroughly checking /var/log/messages for any errors, test the system's functionality to ensure it is operating correctly. When this is the case, use system-config-network to change the IP address to that of the original faulty system.

Issues/Questions

• Excluding /var/run/* from the restore causes the subfolders used to contain PIDs for some apps not to not be created when you restore. Is it really necessary to exclude /var/run/* from restore? Is a better way to simply not restore the PID files?

• When the system was restored, the IP address of the 'faulty system' was also restored. I didn't want this. I must have missed a file off of my 'exclude from recovery' list. Any ideas where it is?

• When updating I get lots of messages like /sbin/ldconfig: /usr/lib64/libblah.so is not a symbolic link. When I reboot the system after updating some services don't come up correctly. I wonder if this is something to do with the backup system restoring the files that the symbolic links point to instead of the symbolic links themselves. If I run ldconfig and look at one of the shared objects it complains about, the shared object is an actual file rather than a symlink. Anybody else seen this?

I have a pclist.csv file like this:

----------------------------------------------
| Name | LastLogonTimestamp | Some Other Data |
-----------------------------------------------
| 2342 | 23/05/2012         | Blah Blah Blah  |
-----------------------------------------------
| 3433 |                    | Yada Yada Yada  |
-----------------------------------------------

As you can see, some of the LastLogonTimestamp cells don't contain any data and some do.

I'm trying to examine this .csv using a powershell function like this:

$assets = import-csv pclist.csv

Function ActiveDesktop
{
foreach ($asset in $assets)
    {
    if ($asset.'LastLogonTimestamp' -le {get-date.adddays(-90) -format "ddMMyyyy"})
        {write-host $asset.Name, $asset."LastLogonTimestamp"}
    }
}

I want to see which PCs are inactive, but running the query doesn't return anything. Can anybody point me in the right direction?

I've been experimenting with the FilesMatch Directive. During my first attempt, I discovered that my default rules (rulesets 1 & 2) didn't allow me to access www.test.com/ but did allow me to access www.test.com/index.php

I presumed this was because the file "/" hit ruleset 1 but not ruleset 2 and so got blocked. I therefore put ruleset 3 in place and everything seems to be working now. I just wanted to ask if anyone had any advice on implementing this directive, and whether or not I've gone about it the correct way?

#Ruleset1
<FilesMatch "^.*$">
        Order Deny,Allow
        Deny from all
</FilesMatch>

#Ruleset2
<FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png|php?)$">
        Order Deny,Allow
        Allow from all
</FilesMatch>

#Ruleset3
<FilesMatch "">
        Order Deny,Allow
        Allow from all
</FilesMatch>

I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.

I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.

WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

Here's what I've done so far:

Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).

share-config-custom.xml

Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>*****</password>
         <realm>MYDOMAIN.CO.UK</realm>
         <endpoint-spn>HTTP/[email protected]</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>

         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

krb5.conf

Setup the /etc/krb5.conf file like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.CO.UK
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true

[realms]
MYDOMAIN.CO.UK = {
  kdc = mydc.mydomain.co.uk
  admin_server = mydc.mydomain.co.uk
}

[domain_realm]
.mydc.mydomain.co.uk = MYDOMAIN.CO.UK
mydc.mydomain.co.uk = MYDOMAIN.CO.UK

java.login.config

/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescocifs.keytab"
   principal="cifs/server.mydomain.co.uk";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescohttp.keytab"
   principal="HTTP/server.mydomain.co.uk";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};

alfresco-global.conf

And finally, the following settings in alfresco-global.conf

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.real=MYDOMAIN.CO.UK
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=******
kerberos.authentication.http.password=*****
kerberos.authentication.defaultAdministratorUserNames=administrator

ntlm.authentication.sso.enabled=true

As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me! This question is also posted on the Alfresco forum, but I wondered if any folk here on serverfault have come across similar implementation challenges?

I'm running a small (but growing) Linux environment comprising of no more than 10 Linux servers.

The environment consists of CentOS 5 & 6, and Oracle Linux 5 & 6 boxen. All of these are patched individually via their appropriate yum repos.

Can anyone suggest a method of centralising patch management for these servers? I've heard that Puppet is often used to do this but I've never used it myself, and would be interested in hearing from other system administrators.

I'm migrating Cacti from Windows to Linux and I've come across a bit of a problem.

The Windows server is running an older version of Cacti so I'm migrating it to version 0.8.

I've managed to port the database across to the new server, the installer ran successfully and the tables have been migrated to the new version. I've copied over the RRA folder (containing the old RRD files) from the Windows server to the new version on the Linux server but graphs are not displaying.

Manually running poll.php from the command line reveals this error when Cacti tries to update the RRD files:

ERROR: reached EOF while loading header rrd->ds_def

Any ideas what might be causing this?

Thanks in advance!

Chris

I've always configured Apache like this:

/etc/httpd/conf/httpd.conf (Main Apache config)

<Directory />
   Options None
   AllowOverride None
   Order deny,allow
   Deny from all 
</Directory>


<Directory "/var/www/html">
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

Virtualhosts config

<VirtualHost *:80>
        ServerName xxxxx.co.uk
        ServerAlias xxxxx.co.uk xxxxx
        DocumentRoot /var/www/html/xxxxx.co.uk   
        ErrorLog /var/www/log/xxxxx.co.uk
        <Directory "/var/www/html/xxxxx.co.uk">
                AllowOverride None
                Options -Indexes -FollowSymLinks
                Order Allow,Deny
                Allow from all
        </Directory>
 </VirtualHost>

I've noticed that some people seem to create a specific folder for web content and logs, i.e

/srv/html/xxxxx.co.uk
/srv/log/xxxxx.co.uk

I wonder if anyone could throw any light onto why that is? Is it more secure to do it like this? Are there any other reasons to move web content content and logs out of the /var/..... path?

Thanks in advance :-)