2009/05/20

Remote execution on Windows

I've been trying to have a poor man's backup: from my scsi-tape-attached linux box, remote execute ntbackup on each of my windows boxes, then dump those backups to tape.

In the past, I've had separate scheduled tasks on each windows server; the problem is, there's not central error reporting mechanism; the idea of the new approach is to have all of the backup reporting (and exit statuses) in one cron log report.

I've been using winexe, which is pretty cool. It lets you run remote windows commands from Linux. It appears to be part of Samba4, although you don't need all of Samba4 to make it work.

...It hasn't worked properly.

This thread appears to say why:
'Any process you can access or create on a remote machine will not be able to "touch" any other machine in the network. Only an "interactive" session can do this by default.
'You would need to tell Active Directory to "Trust" the machine for "Delegation" to make this work. This is usually not a good idea as it can present a considerable security risk if not managed closely.'
If true, then that might have something to do with it.

...the selection lists, the backup scripts, and the backup targets are located on a linux samba server. Then again, it appears to be able to see and execute those files. Hmm... too tired, need to think about this more.
Posted by at No comments:
Labels: , ,

2009/05/19

OpenSolaris Notes

I'm primarily a linux guy (used Solaris between 96-2002), so here are some notes to self:

Service log files are stored under /var/svc/log

There are a few problems getting printing to work in 2009.06:
http://defect.opensolaris.org/bz/show_bug.cgi?id=2656
http://defect.opensolaris.org/bz/show_bug.cgi?id=6366

patch /etc/dbus-1/system.d/hal.conf

pkg install SUNWsmmgr
svcadm enable network/device-discovery/printers:snmp
svcadm refresh svc:/system/dbus:default
svcadm restart svc:/system/dbus:default
svcadm disable snmp
svcadm enable snmp
svcadm clear printers:snmp
svcs printers:snmp
tail -f /var/svc/log/*print* to see what's happening.
Posted by at No comments:
Labels:

2009/05/16

Centos AD Authentication and users and groups

To configure your linux workstation to pull user and group, and authentication information, from AD, run these commands. They do the dirty work of configuring pam, samba+winbind, nscd, and Kerberos.

..substitute your admin user account where mine is used below (admin-username), your AD dns domain/realm where domainname.com is used, and the netbios domain name where domainname is used.

yum install samba pam_krb5.x86_64 pam_smb.x86_64 nscd

authconfig --enableshadow --passalgo=sha512 --disablenis --disableldap --disableldapauth --disableldaptls --disablesmartcard --disablerequiresmartcard --enablekrb5 --krb5kdc=dc1.domainname.com --krb5adminserver=dc1.domainname.com --krb5realm=DOMAINNAME.COM --enablekrb5kdcdns --enablekrb5realmdns --disablesmbauth --smbworkgroup=DOMAINNAME --smbservers=dc1.domainname.com,dc2.domainname.com --enablewinbind --disablewinbindauth --smbsecurity=ads --smbrealm=DOMAINNAME.COM --smbidmapuid=10000000-20000000 --smbidmapgid=10000000-20000000 --winbindseparator=\\ --winbindtemplatehomedir=/home/%D/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=admin-username --disablewins --disablehesiod --enablecache --enablelocauthorize --enablepamaccess --disablesysnetauth --enablemkhomedir --updateall

Note that all users on the domain will now be able to log in to your computer over the network, unless you either:

1. Set up a ssh AllowUsers or AllowGroups parameter in /etc/ssh/sshd_config (see man page for sshd_config); or

2. 2. Use pam_access (see man page for pam_access)

Posted by at No comments:
Labels: , , ,

2009/05/12

XenServer VM won't shutdown


I had a windows x64 vm domU that was locked up. It would not shut down through XenCenter. It would not shut down through the command line with "xe vm-shutdown vm=" or "xe vm-shutdown --force vm=".

In the logs were these mesages:
VM.hard_shutdown R:82ca53505e13|xapi] VM.hard_shutdown locking failed: caught transient failure OTHER_OPERATION_IN_PROGRESS: [ VM; OpaqueRef:6c1f16b5-7a80-c3fa-eb07-6b605d1fa305 ]
[20090512 08:43:59.181|debug|vserve0|166 unix-RPC|VM.hard_shutdown R:82ca53505e13|xapi] Waiting for 12.745108 seconds before retrying...

I could not find any information on what "OTHER_OPERATION_IN_PROGRESS" meant (other than the obvious), or how to address it.

A host reboot also did not work: the xen host would not shut down gracefully, because it could not terminate this vm -- it would just hang at "terminating remaining VM's".

Finally, too late, I found the answer in the Citrix forums:

To know the cause of the rejection, you can try running xe task-list and see if anything is in pending state that might be related to the command failure.

If you do see anything that is likely to be in the way, try removing the task with xe task-cancel uuid= TASK-UUID, then try the shutdown operation again.


You may have to do a xe-toolstack-restart.
Posted by at 5 comments:
Labels:

2009/05/04

Samba and SELinux

In a previous post, I mentioned that you can keep selinux enabled to keep your system a bit more secure, by applying a label to your system.  For example, with a Samba share, you might do this:

chcon -R -t samba_share_t /srv/exports/backups

This labels (recursively) the /srv/exports/backups share as a samba share.

But this change wont persist across a filesystem relabel.  So, we have to do this:

semanage fcontext -a -t samba_share_t ’/srv/exports/backups(/.*)?’
restorecon -R -v /srv/exports/backups

For more tips and more options, see http://danwalsh.livejournal.com/14195.html .
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)