Archive

Author Archive

Problem with random generator /dev/random

June 27th, 2013 No comments

Yesterday called my friend that he wants to migrate one website to his webserver. I’ve created hosting for him and then problem began. When he accessed one .php file browser was “working”, but nothing happened. There was no log about problems on server. Nothing.

So I started to investigate problem. CPU was fine, RAM was fine, disk queue lenght was fine. So I focused on particular .php file. I ran following command:

strace php -f PATH_TO_PHP_FILE

and I saw:

strace PHP file

and this was not moving forward. After couple tens of seconds it was moved one line futher. It looks like problem with /dev/random. When I looked into file crypt.class.php

PHP file source

I saw function mcrypt_create_iv() which creates an initialization vector from random source. And that’s it, random source is defined as /dev/random. You can change source by defining second parameter to value MCRYPT_DEV_URANDOM. When I tested it with second parameter set to value MCRYPT_DEV_URANDOM everything worked like it should. Php file was generated normally. When I tried to do cat /dev/random I received some random characters and after couple tens of second I’ve got more random characters:

Slow /dev/random

So this look like slow /dev/random. When I tried cat /dev/urandom my screen was full of random characters. I started to look for differences between /dev/random and /dev/urandom. Some random generator is implemented in linux kernel which generates random bits into entropy pool. When entropy pool is empty, reads from /dev/random will block until additional random bits are generated. Ublocked/non-blocing random source /dev/urandom will not block when entropy pool is empty (it will reuse existing random bits). You can check how many bits are generated in entropy pool by looking into file cat /proc/sys/kernel/random/entropy_avail. More info here.

So how to make faster generation of random bits into entropy pool? There is daemon which can help you out rng-tools. To make it work in Debian you have to do following:

  • apt-get install rng-tools
  • Edit file /etc/default/rng-tools
  • In file set HRNGDEVICE=/dev/urandom
  • Start up daemon /etc/init.d/rng-tools start

When I started this daemon /dev/random starts generate lots of random characters. 🙂

So this took four hours of my life. I’m working with Linux couple years, but I had no idea between /dev/random and /dev/urandom. I’m smarter now.

Have a nice day,

 

Active Directory Sync Tool – filters for user accounts

June 26th, 2013 2 comments

Today I published article how to make synchronization between Active Directory and Microsoft cloud Office 365. I also mentioned that you can filter which users you want to synchronize to cloud and which not. I also mentioned article where it’s described. I started to play with it, but it’s not as simple as I thought 🙂

They mention that you can filter on three conditions:

  • Based on OU location
  • Domain based
  • User attribute

I wanted to investigate third option – filter on User attribute. So I started to read article. First and most important is to mention that you set filter on users which you DO NOT want to synchronize. 🙂 So I decided to synchronize users which have their attribude “department” set to value “IT”. So I had to set filter out all users which don’t have this attribute set. 🙂

Another catch in article is about location of MIISAdmin tool. Article specifies some disk location, but it’s completely different. On my Windows Server 2012 it was installed in:

 

Installation directory

 

When I want to sync account which have department attribute set to “IT” I had to do following:

Open up miisclient.exe and click on Management Agents:

 

Management Agents

 

Right click on AD Connector (Agent) and Properties:

 

Properties

 

On left side you have to select Configure Connector Filter, then on right select user and select New…:

 

Sycn filter

 

Now declare new condition, which means we don’t want users that have department attribute set to IT:

 

Define filter

 

OK, OK. I set in domain only users User10-User19 to have value set. Now let’s force synchronization (IMHO it could be something more inteligent and nicer 🙂 ).

Let’s go to installation folder and run DirSyncConfigShell.psc1:

 

Running force sync

 

Now I have to run Start-OnlineCoexistenceSync:

 

Start-OnlineCoexistenceSync

 

You can check if everythin works fine in Application events and you should have success on the end:

 

Synchronization successed

 

And on cloud Office 365 I see just users I wanted to see:

 

Filtered users

 

Only thing I’m missing is to filter based on group membership.

Have a nice day,

 

Active Directory synchronization with Office 365

June 26th, 2013 1 comment

Once upon the time there was customer asking if we can help them with integration their Active Directory with Office 365 cloud. The main request was to sync Active Directory users into Office 365 cloud and then test Office 365 applications on their computers.

Registration for free Office 365

First you need to check prices and packages you want to use. I wanted to test it so I registered HERE. In free month you can use licences for 10 users. Don’t forget to register for Office 365 Midsize Business, only this version of Ouffice 365 can sync AD. After registration I have received e-mail with my account to log into Office 365 portal. After firt logon there is really not to many things to configure. I have to notice that I received testing domain @AtosSlovakia.onmicrosoft.com. This is what you need to have.

Preparing playground

So I have my playground setup:

  • Domain name: DOMAIN.LOCAL
  • Domain controller: MT-SERVER01.DOMAIN.LOCAL
  • Server which will synchronize data into cloud Office 365: MT-SERVER02.DOMAIN.LOCAL

Computer which will do synchronizaction needs to accomplished couple conditions:

  • Must have Microsoft .NET Framework 3.x
  • In cannot be domain controller
  • Must be part of the domain
  • It can be Windows Server 2008, Server 2008 R2 or Server 2012
  • If you have less than 50 000 objects in AD which you want to sync you can use Microsoft SQL Server 2008 Express. Other way you need to use “normal” SQL
  • Active Directory forest functional mode has to be Windows Server 2003 and higher

More HERE.

I also need to generate some users in domain which I will upload into cloud. I just have created 50 bulk users using following powershell script:

Create bulk AD users powershell

I have received testing domain suffix from Office 365 @AtosSlovakia.onmicrosoft.com so I have to set it as aditional UPN for new created users:

  • Open Active Directory Domain and Trusts
  • Right click on Active Directorz Domains and Trusts and click Properties
  • Type defined UPN and click OK

Setup Active Directory Synchronizaction

When you log on Office 365 portal you go to “users and groups” and select Active Directory synchronization Set up.

Activate AD Sync

Then you have to complete 6 steps (not really work to do) to make it work:

AD Sync Wizard

Activation of AD Sync tool can take about 24 hours:

24 hours activation

While we will wait for activation of feature, let’s install Directory Sync Tool on server MT-SERVER02.DOMAIN.LOCAL.

Read more…

Quickie: Powershell not just for work

June 21st, 2013 No comments

I installed Microsoft Lync couple monts ago at one customer. He asked me when his licence will expire. I knew date when Lync was installed (28/2/2013) and expiration period for Microsoft Lync server (180 days). I used power of shell (powershell) to check it out:

Get-Data AddDays

How cool is that? I really love powershell 🙂

Categories: Powershell, Quickie Tags: ,

Nastroj na pripravu systemu

June 8th, 2013 2 comments

image

Trvalo mi nejaky ten cas kym som pochopil (vsimol si v zatvorke), ze “Nastroj na pripravu systemu” je po nasom SysPrep 🙂

Naco to prekladaju? Len s tym matu nepriatela. 🙂

ARP protokol alebo ako sa stat guru u zakaznikov

June 6th, 2013 3 comments

Uz dlhsie som rozmyslal ci napisat dany clanok a az teraz som sa rozhodol, ze ano. A ze dokonca bude po slovensky 🙂 aj ked bez diakritiky. Pokusim sa vam popisat tri situacie ked som bol povolany do boja proti neposlusnej sieti. A taktiez ako som ich poriesil pomocou porozumeniu ARP protokolu (Address Resolution Protocol).

1. pripad

Bol to moj prvy pripad v terajsom zamestnani. Zakaznik mal siet o rozsahu 192.168.0.0/24. Dosli mu IP adresy, tak sa rozhodol rozsirit IP rozsah zmenou sietovej masky na /23. Cize servery na serveroch a aktivnych prvkoch, o ktorych ITckari vedeli, prehodli sietovu masku na /23. Taktiez na DHCP pool-e zmenili sietovu masku na /23. A vtedy sa zacali problemy. Prejavovalo sa to nasledovne. Ked na klientskom PC dali pingat IP adresu servera, tak presli 2 pingy a 3 sa stratili, 2 pingy presli a 3 sa stratili,…atd. Bolo to zaujimave. Nastartoval som WireShark a napisal filter ARP. Vtedy som si vsimol nieco zaujimave na sietej komunikacii. Zacal som pingat server na lokalnej sieti. Predtym ako sa poslal ICM Request, tak sa poslal ARP Request. Dostal som ARP Reply, naco som nasledne poslal ICMP Request na MAC adresu ziskanu ARP Reply (MAC adresa servera). Po dvoch ICMP Requestoch dosla dalsia ARP Reply z uplne inej MAC adresy ako bola MAC adresa servera. A kedze Windows very kazdej MAC Reply (vsak ako by sme robili Man-In-the-Middle?), tak zacal moj komp posielat ICMP Request na novu MAC adresu. A ta, samozrejeme, neodpovedala. Takze preto par pingov preslo a par nepreslo.

Riesenie

Problem spocival v tom, ze lokalny ITckari nezmenili IP rozsahy na vsetkych zariadeniach. Zabudli na to, ze maju v sieti este nejake zabudnuty Cisco router a na tom nezmenili sietovu masku. A na Cisco zariadeniach je defaultne zapnute Proxy ARP. Kedze si zakaznik rozsiril IP rozsah, a klientsky DHCP pool sa presunul do noveho rozsahu, mimo 192.168.0.0/24, tak pre Cisco routery tieto IP adresy boli mimo ich rozsah, takze sa chovali presne ako sa od nich ocakava, ked je zapnute Proxy ARP. Cize podvrhuju svoju MAC adresu, pretoze sa “pokusia” dorucit paket pre IP adresy mimo ich lokalny rozsah. Viac o Proxy ARP.

2. pripad

Inokedy som bol prizvany ku dalsiemu problemu. Popis od zakaznika znel tak, ze blbne im IP telefonia a Slovak Telecom, od koho mali IP Telco ustrednu, nema ziaden problem. Ze maju vsetko zelene 🙂 Tak som vyrazil na hodinovu cestu. Pri dojdeni na miesto som sa pozeral na zaujimavy stav. Stal som v kancelarii a telefony blikali ako v zlom filme o hackeroch 🙂 Zelene telefony boli v poriadku a svietiace na cerveno boli v zlom stave. Ich stavy sa nahodne menili a blikalo to cele v kancelarii ako ked sa strasny hacker infiltruje do siete FBI 🙂 Tu som bol za guru ako nikdy predtym, pretoze som zapol notebook, nastartoval WireShark, nastavil IP adresu z rozsahu pre IP telefoniu a hned po cca 20 paketoch ARP protokolu som videl nasledovne:

IP duplicity

Riesenie

Takze bolo potrebne len vystopovat danu MAC adresu, ktora mala nastavenu rovnaku IP adresu ako IP telco ustredna a vsetko bolo v poriadku. Na koniec sme zistili, ze dana MAC adresa patrila jednemu ITckarovi 😀 Takze sumar dna: 1 hodina cesta ku zakaznikovi, 10 sekund najdenie dovodu vypadkov, 2 minuty najdenie pachatela, 30 minut vymyslanie pribehu pre management a 1 hodina cesta domov 🙂

3. pripad

Bol to rovnaky zakaznik ako v pripade cislo 2. Mali problem s citackami ciarovych kodov v sklade. Pri telefonate som zistil, ze citacky ciarovych kodov maju v rovnakej VLANe ako PCcka a telefoniu. Problem bol, ze vypadavalo z citaciek pripojenie na SAP server v serverovej VLANe. Ked sme dali pingat dany server z klientskeho PC, tak vypadavali pingy na server a dokonca aj na vlastnu default gateway. Router nemal ziadne vytazenie (<1%). Co bolo divne. Takze sme nastartovali WireShark. A pri zadani filtra ARP som spozoroval, ze pomedzi ARP spravy, ktore tam mali byt som videl ARP spravy tykajuce sa IP rozsahu VLANy v ktorej su tlaciarne a tlacovy server. Co bolo celkom divne. Tak som si nastavil druhu IP adresu z rozsahu tlacovej VLANy a zistil som, ze ked pingnem tlacovy server, tak idem na priamo a nie cez router. Takze problem bol detekovany hned, mali domiesane VLANy.

Riesenie

Ked som si nastavil druhu IP adresu z rozsahu tlacovej VLANy, tak som mohol na switchoch dohladat kde sa dane VLANy domiesali/zoskratovali. 🙂 Takze siel som switch za switchom az som dosiel na nejaky lacny TP Link na ktorom bol vypnuty Spanning Tree Protocol. Tak som ho skonfiguroval a zrazu sa siet prebrala a zacala robit co mala. Pri dalsej analyze som zistil, ze u zakaznika mala dojst nejake navsteva a kedze upratovali nezapojene LAN kable, tak iniciativni ludia ich pozapajali kde prislo. Tym sa zmiezali VLANy a taktiez sa spravili slucky na switchoch, ktore nemali STP zapnuty a tak vznikali slucky/broadcast stormy a dalsie prejavy “zoskratovaneho prepinaca”.

Takze tolko som sa chcel podelit s mojimi skusenostami ako sa stat sietovym guru v ociach zakaznika. Dokonca niektore problemy poriesit do 5 minut 🙂 Samozrejme sa musim podakovat mojemu dobremu ucitelovi sieti, ktory mi dal velmi dobre zaklady – Peter Palúch. Dakujem Peto!

Failing VMTools installation

April 29th, 2013 No comments

Problem

When I was installing VMTools on Windows Professional 2000 server I received weird error:

VMTools installation error

Server didn’t specify any error so I tried to dig into it.

Solution

When you do the installation of application, most of the time, this application installation unpacks its sources into temporary location. So I have looked into %temp% directory while error windows was displayed and I found one directory with actual date. So I have looked into it and I found couple files. One of them was called VMware Tools.msi. I tried to run VMware Tools.msi and it worked out.

I hope this saves someone time 🙂

Quickie: How to clear all port statistics on Brocade switches

April 23rd, 2013 5 comments

During one migration I wanted to clear out all port statistics on Brocade switch. I couldn’t find any command which would clear statistics for all port and I had to do it one by one 🙁

portstatsclear 0
portstatsclear 1
portstatsclear 2
portstatsclear 3
portstatsclear 4
portstatsclear 5
portstatsclear 6
portstatsclear 7
portstatsclear 8
portstatsclear 9
portstatsclear 10
portstatsclear 11
portstatsclear 12
portstatsclear 13
portstatsclear 14
portstatsclear 15

So I posted this article so I can copy and paste commands to the switch 🙂

 

Categories: Quickie Tags: , ,

Problems with CPU in incompatible error during VMWare vMotion

April 23rd, 2013 14 comments

One of our users reported problems with vMotion after firmware upgrade of IBM server. Firmware were upgraded using BOMC (utility to create ISO images to upgrade IBM server to the lastest versions available).

After upgrade user was not able to do vMotion. They received following error:

Host CPU is incompatible with the virtual machine’s requirements at CPUID level 0x1 register ‘ecx’.

CPU is incompatible

After couple minutes of googling I found out following official articles:

Based on information there is change when you do firmware upgrade. Sometime (from some version) AES feature is Enabled and sometime is disabled. This setting cannot be changed in BIOS and this is really sad. So let’s look at the way you can change it.

In second mentioned article IBM suppose to download some prepared ISO image called BoMC-2.20-uEFI-AesEnable-to-enabled-vmotion-fix.iso. But I couldn’t find this ISO image. So I had to use other way around. I downloaded IBM Advanced Setting Utility. I downloaded and installes version for Windows 64b. You need your RSA card to be accessible through network. Then you can run following command to check actual value:

asu64.exe showvalues UEFI.AesEnable –host RSA_IP_ADDRESS –user RSA_USER –password RSA_PASSWORD

AES showvalue

You can check it on all ESX servers. To decide whether feature should be enabled or disabled you this article. We need to change it to the same setting using following command:

asu64.exe set UEFI.AesEnable Disable –host RSA_IP_ADDRESS –user RSA_USER –password RSA_PASSWORD

set AES

When values are the same on all ESX server you are able to do vMotion. I was kinda mad on IBM, because I would preffer to change this value in BIOS instead of some application.

Fun: Internet Explorer 6 or 10?

April 19th, 2013 No comments

I was browsing at Brocade website lot last couple days, but when I accessed it from my Internet Explorer 10 I received following warning:

 

IE10 or IE 6

 

I thin Internet Explorer is out for a quite time, so Broacade had time to “implement” it on its website 🙂