Ondrej Žilinec – IT Blog

When you need to connect two sites with same IP subnet, you need to create Site to Site VPN on Layer 2. It means you need to create non-routing VPN between sites. Let’s assume we have following setup:

We need to make sure, that computer 10.30.31.10 can access computer 10.30.31.20 and vice-versa.

We need to install two linux servers. I love Debian distribution. So I have installled two Debian servers on both sites. Both servers have two interfaces:

ens192 – first interface which is used to connect for SSH. It has IP address and it working interface

ens224 – second interface which is in LAN we want to connect. It acts as TAP interface – like cable put into LAN without IP settings. This interface is only up.

You will make SSH connection from one site to another – it means one server has to be accessible from other site. I published TPC/22 (SSH) port from SITE B on Internet. So I could connect from Debian server from SITE A to SSH on Debian server in SITE B. You need to install following packages on Debian:

uml-utilities
bridge-utils
net-tools

Run following commands on both linux servers:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

and make those settings pernament running command:

sysctl -p

On server which will do SSH server you need to change in SSH config file /etc/ssh/sshd_config following settings:

PermitRootLogin yes
PermitTunnel yes

Now are are ready to make SSH connection between linux servers. You have to run following command on “ssh client” server to make connection on “ssh server” server:

ssh -f -o Tunnel=ethernet -o TunnelDevice=0:0 -w 0:0 root@IP_SSH_SERVER true

This command makes SSH connection between linux servers and it creates special interfaces on both linux servers. These interfaces are called tap0. Now we need to bridge interfaces to make VPN work. We have to run following commands on BOTH servers:

Create bridge interface:

brctl addbr br0

Add “cable” interface ens224 and VPN TAP interface into bridge:

brctl addif br0 tap0
brctl addif br0 ens224

And now put all those interfaces up:

ifconfig ens224 up
ifconfig tap0 up
ifconfig br0 up

Now all connection is set and Site to site VPN works as sharm. I never thought it was that easy to create such a connection.

If you have VMWare, settings needed:

If you have Hyper-V, settings needed:

Enjoy.

Thank all folks,

Once upon the time I had problem with Windows Update. All updates got downloaded and installed. When user click on button Restart Windows got error 0x80070005.

After couple minutes of debugging with Process Monitor I found out that process called explorer.exe had problem with accessing directory C:\Windows\System32\Tasks. That means that if you click on button Restart in Windows Update, Windows doesn’t just restart system. It creates Scheduled Task to reboot. Weird, but it does it this way.

So I have created GPO with security settings for directory C:\Windows\System32\Tasks and allow BUILTIN\Users have Modify rights to this directory.

And that’s the way we make it 🙂

One of our customer asked me to install and setup software to manage FTP storage via web page. We decided to insall ftp2net free version. I tested it at my testing server and there was no problem at all. At customer server I had problems. Installation went well. But when I tried to log to ftp2net website I received error that connection was refused. I decided to check if Safe mode is on. It was off. Then I checked if PHP restriction allow_url_fopen is on. It was on, so I turned it off. But website still didn’t work. I came to time when I started tcpdump and looked on network interfaces if there is any FTP traffic. There was none. When I tried FTP connection from shell on server, I could connect and I also saw FTP traffic via tcpdump. It was weird. Something blocked initialization of FTP connection for Apache processes.

I found solution after the lunch time 🙂 It was SELinux. It’s security feature for linux kernels. I had to run command:

setsebool -P httpd_can_network_connect 1

This command disables SELinux protection which protected network connection made by httpd/apache processes.

I wanted to spend 10 minutes on this product, but I spent almost half of the day debugging this issue 🙂

Have a nice day,

When you export certificate in Windows with private key, you export it to .pfx file with password. When you want to use this certificate in linux you need to convert pfx file into .crt and .key files. You can use following commands to convert it:

[root@nagios]# openssl pkcs12 -in nagios.pfx -clcerts -nokeys -out nagios.crt
Enter Import Password:
MAC verified OK
[root@nagios]# openssl pkcs12 -in nagios.pfx -nocerts -nodes -out nagios.key
Enter Import Password:
MAC verified OK

Now you have two files .crt and .key which can be used in linux.

That’s all folks,

This is just a note. When you have UAC (User Access Control) enabled and if application wants to write data into %ProgramFiles% all writes are redirected into %localappdata%\virtualstore\. If application writes into registry HKLM\Software it is redirected to HKCU\Software\Classes\VirtualStore.

That’s all folks,

 

Sometimes when you work on linux in bash you don’t want to leave commands in bash history (.bash_history). Easy way to clean it up it’s to run following command:

HISTSIZE=0

Now your bash history will be not accessible and not saved when you logoff.

 

I had little problem with Synology 814+ and I couldn’t get into Web management. So I connected to console (speed of serial console is 115200). I was able to see a console, but I was not able to login into console. I was looking for default password and I found out that Synology generates password for admin and root by actucal date. More about is here. When your Synology doesn’t have access to Internet’s NTP server, it has local date 01/01/2001. So it means default console password is 101-0101 if Synology doens’t have access to Internet.

I hope this saves at least hour of your time 🙂

I implemented DFSR replication in our customer between two locations. There are people opening same files on both locations and they want to use Office document locking feature. This locking mechanism is based on creation of temporary files (~*). So I removed file exception (~*) from DFSR Replicaiton Group and allowed to replicate temporary Office files. When I create and open Word document on one location two files are were: WORD.docx and ~$WORD.docx. And when I created new Excel document two files were created: EXCEL.xlsx and ~$EXCEL.xlsx.

On other location only two files were replicated (created): WORD.xlsx and ~$WORD.xlsx:

When I closed Word and Excel temporary files dissapeared and docx and xlsx files replicated correctly.

So let’s look why those files were not replicated. In some Technet articles I found that DFSR doesn’t replicate temporary files. More info is here and here.

It’s nice to know that DFSR doesn’t replicate files marked as temporary. So let’s look at those opened Word and Excel files.

WORD.docx

– Only archive attribute set (0x20)

~$WORD.docx:

– Archive attribute (0x20) and Hidden (0x02)

EXCEL.xlsx

– Only archive attribute set (0x20)

~$EXCEL.xlsx

So utility fsutil cannot open data from this file. It looks that Excel opens its files different way as Word does. And that’s why file ~$EXCEL.xlsx didn’t copy to other location, because DFSR cannot access this file while it’s opened in Excel.

This Excel behaviour causes that Office locking mechanism is not working over DFSR.

Let’s hope Microsoft will fix this in other release Office 🙂

Have a nice day,

I have experienced same problem in two customers within four days. I had server with operating system Windows Server 2012 R2. I installed role Active Directory Certificate Services with default settings. Also default certificate templates were installed. One of the default certificate templates is called Domain Controller and it should be enrolled automatically to all domain controllers using autoenrollment method.

Certificates didn’t autoenroll to domain controllers so I tried to enroll certificate manually. I received following error:

Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

After couple of minutes of debugging I found out that it should have something to do with security of accessing DCOM object. When I have looked on DCOM security settings I found some domain group called CERTSVC_DCOM_ACCESS. I tried to google for this and I found out that this group should contain all domain members that want to enroll certificate using DCOM. And it was missing “Domain Controllers” group:

I just inserted group “Domain Controllers” into domain group CERTSVC_DCOM_ACCESS. Rebooted domain controllers, they had to get new group membership, and everything started to work as expected.

More info here and here.

That’s all for today,

Web Proxy Auto-Discovery Protocol known as WPAD is protocol used by web browsers to locate URL of configuration file using DHCP or DNS.

How does it work?

Computer running web browser must be configured to detect settings automaticaly. It can be turned on in Internet Explorer:

When this browser starts it detects WPAD URL. If browser supports DHCP discovery it will send DHCPINFORM query on network asking for WPAD option. If client doesn’t get DHCP answer it will try DNS query. Let’s assume we have local domain expo.domain.local. Client will try following URLs:

• http://wpad.expo.domain.local/wpad.dat
• http://wpad.domain.local/wpad.dat

When this DNS is not successful browser will try URL with NetBios name http://wpad/wpad.dat.

This behaviour can depend on WPAD implementation in browser. Some browser doesn’t use DHCP detection. Some will try also http://wpad.local/wpad.dat URL. I will write only about Internet Explorer behaviour.

Finally when browser gets wpad.dat file from WPAD URL it will parse this file and set proxy settings described in wpad.dat file.

How to make it work?

Let’s assume we have DHCP and DNS services running on Windows Server. We also need IIS installed on server. First of all we need to create new IIS Website:

We will bind this website to port 80 and Host name will be set to wpad.domain.local. We will create new directory C:\inetpub\wpad where website will point. Second, we need to define new MIME type in IIS. Click on IIS server name in IIS console. Then click on MIME Types:

On right side click on action Add.. and define new MIME type (.dat – application/x-ns-proxy-autoconfig):

In directory C:\inetpub\wpad create new file called wpad.dat with following content:

function FindProxyForURL(url, host) {

if(shExpMatch(url,"*intranet/*")) { return "DIRECT"; }

if(shExpMatch(url,"*.domain.local/*")) { return "DIRECT"; }

if(shExpMatch(url,"10.0.*")) { return "DIRECT"; }

if(shExpMatch(url,"192.168.*")) { return "DIRECT"; }

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.

return "PROXY 10.0.0.100:8080";

}

This file is in format Proxy auto-config (PAC file) and it is self-explanatory. It’s kind of fucntion which says if URL is “*intranet/*, “*.domain.local/*,… browser will go directly to this URL. Those are proxy exceptions. Other not defined traffic will be send to proxy server 10.0.0.100 and its port 8080. This script can be more advanced. Be aware, if you make some mistake some stupid browsers (including Internet Explorer) will skip whole script and not use it 🙂

Now when we have our wpad.dat file ready we can try if we are able to download it using browser. Just try if you can download file http://wpad.domain.local/wpad.dat.

If everything works let’s inform browsers we have published autoconfiguration file.

Publish in DHCP

We need to create new DHCP Option 252 first:

• Open DHCP Console
• Right click on DHCP server and select Set Predefined Options and then click Add
• In Name type wpad, Data type select String and Code type 25

• Click OK
• Enter value http://wpad.domain.local/wpad.dat in Value String field
• Click OK
• Right-click on Scope Options in DHCP scope where you want add DHCP value 252 and select Configure Options…

• Scroll all the way down and select DHCP value 252 and click OK

This is all for DHCP setup. Let’s look on DNS setup.

Publish in DNS

You need to create DNS A record wpad.domain.local and point it to IP where WPAD Website runs. Windows servers will not answer on DNS A “wpad” requests. It’s basically for security reason. “wpad” is blocked in DNS by default. In default DNS block list are two records: wpad and isatap. To enable wpad we need to left only isatap in block list. You can do it by command dnscmd /config /globalqueryblocklist isatap.

Remember

• If browser has DHCP discovery and get some DHCP Option 252, it will not do DNS discovery
• Some browsers don’t support DHCP discovery. Only Internet Explorer and Konqueror support both the DHCP and DNS discovery functions

That’s all folks for today 🙂