Syed Jahanzaib Personal Blog to Share Knowledge !

February 24, 2015

Table ‘conntrack.tabidx’ doesn’t exist

Filed under: Linux Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:32 AM

mysql

Short reference:

While accessing RM users section , received “Table ‘conntrack.tabidx‘ doesn’t exist” error.
As showed in the image below …

 

1

This is how I fixed it.

On your RM box, create a file in which we will add table information.

touch conntrack.sql
nano conntrack.sql

Paste the following table

-- phpMyAdmin SQL Dump
-- version 2.11.0
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Sep 03, 2008 at 11:57 AM
-- Server version: 5.0.18
-- PHP Version: 5.1.2

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `conntrack`
--

-- --------------------------------------------------------

--
-- Table structure for table `tabidx`
--

DROP TABLE IF EXISTS `tabidx`;
CREATE TABLE IF NOT EXISTS `tabidx` (
`date` date NOT NULL,
PRIMARY KEY  (`date`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

 

 

SAVE and exit.

Now use the following command to import table into mysql database ‘conntrack

mysql -h localhost -u root -pYOURPASS radius < conntrack.sql

 


 

FYI,

The table code have been extracted from radius manager installation archive.  Example:
/radiusmanager-4.x.x/sql/rconntrack.sql

You can import any missing table from above file and import it in mysql.


 

 

Regard’s
Syed_Jahanzaib

Automated installation Script For DMASOFTLAB RADIUS MANAGER v4.1 in CENTOS

Filed under: Linux Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 10:49 AM

radiusmanager-modified

[As demanded by few Humans 😉 ]

Following is an customized script to install DMASOFTLAB Radius Manager ver 4.1 in CENTOS 6.x / 32bit

The aim of writing this script was to save some time and efforts every time I put in new RM installation. Since DMA don’t have any official support forum (except for there email support which is valid for paid customers only) , so I thought it might be helpful for others too  by sharing this info 🙂

I know very well that It is not a perfect script, it can be very well shorten as per the requirement, but still it does it’s job very nicely with out any user intervention 🙂

Suggestions are most welcome at  . . .
aacable @ hotmail . com

Requirements:

1- Fresh Installation of CENTOS 6.x 32bit  (script is well tested with 6.6 edition 32bit edition only)

2- good Internet access, off course ; )

3- Valid License files provided by DMASOFTLAB , valid with your physical (or virtual) interface MAC address [You can upload your license files in /temp folder as this script will try to copy the 2 licenses files required [lic.txt and mod.txt] from temp folder to appropriate place.


 

What components does this script add to the system ?

This script will install following in your system. (as per order nos.)

> Disable iptables service , ipv6 and selinux in centos

> Download Radius Manager from remote location (preferably Google Drive, adjustable in the script)

> Install necessary components like mysql , apache2, php5 etc

> Download and install dmasoftlab required components like libltd* , IONCUBE and add its entries in Apache’s php config file

> Download and compile freeradius-server-2.2.0-dma-patch-2 package

> Add Radius & Conntrack DB in mysql suing CLI (I have configured default password for mysql which is ‘zaib1234′ , you can change it later)

> Extract Radius Manager Installation file & install it accordingly.

> Restart Services like apache2, mysql, radius


 

IMPORTANT:


1-
Before accessing RM ACP , make sure you upload valid LICENSE files in /var/www/html/radiusmanager folder

2- This script will set mysql password to “zaib1234″ , you can change it later.


How-to Execute The Script  !!

There are several ways to do it, one is explained below . . .

Create a new script

touch /rm-centos-32bit.sh
chmod +x /rm-centos-32bit.sh
vi /rm-centos-32bit.sh


Now copy paste the following code.

 


#!/bin/bash
clear
echo "$COL_GREEN Radius Manager installer script for CENTOS 6.x 32bit"
echo "Copyright 2004-2013, DMA Softlab LLC"
echo "All right reserved.. $COL_RESET"
echo "$COL_GREEN Script modified by Syed Jahanzaib for CENTOS"

# Colors Config  . . . [[ JZ . . . ]]
ESC_SEQ="\x1b["
COL_RESET=$ESC_SEQ"39;49;00m"
COL_RED=$ESC_SEQ"31;01m"
COL_GREEN=$ESC_SEQ"32;01m"

# Variables & Paths [jz]
wwwpath="/var/www/html"
radhost="localhost"
myusr_rad="radius"
mypsw_radius="radius123"
ctshost="localhost"
myusr_cts="conntrack"
mypsw_cts="conn123"
radusr="root"
httpusr="apache"

# MySQL ROOT Password , Change this variable according to your own setup if required. . . [[ JZ . . . ]]
sqlpass="zaib1234"

# RM Installation Package Download URL , Change this variable according to your own setup , if required. . . [[ JZ . . . ]]
#rmurl="http://wifismartzone.com/files/rm_related"
#Google Drive link is more reliable
rmurl="https://b59d0c94e88b62119ea102d0f74a3ba5fc260ea6.googledrive.com/host/0B8B_P2ljEc2xUEgyb1RjcWl1aUE"

# Temporary Folder where all software will be downloaded . . . [[ JZ . . . ]]
temp="temp"

# Packages which will be installed as pre requisite and to make your life easier
PKG="nano wget curl net-tools lsof mc make gcc libtool-ltdl curl httpd mysql-server mysql-devel net-snmp net-snmp-utils php php-mysql php-gd php-snmp php-process"

# Turn off iptables and disabled
echo -e "$COL_GREEN Disabling iptables service, $COL_RESET"
service iptables stop
chkconfig iptables off

echo -e "$COL_GREEN Disabling IPv6 to avoid slow link issue $COL_RESET"
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf

# Turn off SELINUX andd disable it on boot
echo -e "$COL_GREEN Disabling SELINUX & setting it disabled on boot ... $COL_RESET"
echo 0 > /selinux/enforce
sed -i "s/=enforcing/=disabled/g" /etc/selinux/config

# Installing WGET which is not in default installation of CENTOS 6.5 Minimal [jz]
sleep 3
echo -e "$COL_GREEN Installing WGET to fetch required tools later ... $COL_RESET"
yum install -y wget

# Checking if /temp folder is previously present or not . . .
{
if [ ! -d "/temp" ]; then
echo
echo -e "$COL_RED /temp folder not found, Creating it so all downloads will be placed here  . . . $COL_RESET"
mkdir /$temp
else
echo
echo -e "$COL_GREEN /temp folder is already present , so no need to create it, Proceeding further . . . $COL_RESET"
echo
fi
}

# Clearing Old downloads in /temp to avoid DUPLICATIONS . . .
echo -e "$COL_RED Clearing Old downloads in /temp to avoid DUPLICATIONS . . . $COL_RESET"

rm -fr /$temp/radiusmanager*.*
rm -fr /$temp/freeradius*.*
rm -fr /$temp/libltd*.*
rm -fr /$temp/ioncube*.*
rm -fr /$temp/php-my*
rm -fr /$temp/libmy*
rm -fr /$temp/rm4.txt

# Checking IF $rmurl is accessible m if YES then continue further , otherwise EXIT the script with ERROR ! [[ JZ .. . .]]
echo -e "$COL_GREEN Checking if zaib Google Drive or other URL to download requires  packages is accessible in order to proceed further. . .!! $COL_RESET"
sleep 3
cd /$temp
wget -q $rmurl/rm4.txt
{
if [ ! -f /$temp/rm4.txt ]; then
echo
echo -e "$COL_RED ERROR: Unable to contact $rmurl, or possibly internet is not working or your IP is in black list at destination server  !! $COL_RESET"
echo -e "$COL_RED ERROR: Please check manual if $rmurl is accessible or not or if it have required files, JZ  !! $COL_RESET"
exit 0
fi
}

######################

echo -e "$COL_GREEN $url accessible $COL_RESET ......OK......"
echo -e "$COL_GREEN Downloading RADIUS MANAGER 4.1.0 package from INTERNET  .  (Press CTRL+C to stop any time) $COL_RESET"
wget $rmurl/radiusmanager-4.1.0.tgz
# Checking if RM installation file have been downloaded. if YES continue further , otherwise EXIT the script with ERRO ! [[ JZ .. . .]]
{
if [ ! -f /$temp/radiusmanager-4.1.0.tgz ]; then
echo .
echo -e "$COL_RED ERROR: RM Installation File could not be download or found in /$temp ! $COL_RESET"
exit 0
fi
}

echo -e "$COL_GREEN Installing some tools and other rpe requisite for the application ... ! $COL_RESET"
yum install -y $PKG
echo -e "$COL_GREEN YUM install/update Done.! $COL_RESET"

echo -e "$COL_GREEN Installing LIBMYCRYPT and PHPMCRYPT ... ! $COL_RESET"
wget $rmurl/libmcrypt-2.5.8-9.el6.i686.rpm
wget $rmurl/php-mcrypt-5.3.2-3.el6.i686.rpm
rpm -i libmcrypt-2.5.8-9.el6.i686.rpm
rpm -i php-mcrypt-5.3.2-3.el6.i686.rpm
sleep 3

# IONCUBE Installation:
# Now Download ioncube library and add it to php  . . . [[ JZ . . . ]]
echo .
echo -e "$COL_GREEN Installing IONCUBE  .  (Press CTRL+C to stop any time) $COL_RESET"
wget $rmurl/ioncube_loaders_lin_x86.tar.gz

# Checking if IONCUBE installation file have been downloaded. if YEs continue further , otherwise EXIT the script with ERROR ! [[ JZ .. . .]]
{
if [ ! -f /$temp/ioncube_loaders_lin_x86.tar.gz ]; then
echo .
echo -e "$COL_RED ERROR: COULD NOT DOWNLOAD IONCUBE !!! EXITING . . .  $COL_RESET"
exit 0
fi
}

tar zxvf ioncube_loaders_lin_x86.tar.gz
mkdir /usr/local/ioncube
cp -fr /$temp/ioncube/* /usr/local/ioncube/

# Now Add the appropriate ionCube loader to your php.ini . . . [JZ]
echo .
echo -e "$COL_GREEN Adding iONCUBE extension in PHP config file  .  (Press CTRL+C to stop any time) $COL_RESET"
echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" >> /etc/php.ini
echo .
echo -e "$COL_GREEN Downloading FREERADiUS 2.2.20-dma-patch-2 package  .  (Press CTRL+C to stop any time) $COL_RESET"
wget $rmurl/freeradius-server-2.2.0-dma-patch-2.tar.gz

# Checking if FREERADIUS is downloaded, just to make sure internet is working ,IF NOT, EXIT the script with ERROR ! [[ JZ .. . .]]
{
if [ ! -f /$temp/freeradius-server-2.2.0-dma-patch-2.tar.gz ]; then
echo .
echo -e "$COL_RED ERROR: COULD NOT DOWNLOAD FREERADIUS 2.2.20-dma-patch-2, possible INTERNET is not Working !!! EXITING . . .  $COL_RESET"
exit 0
fi
}

echo .
echo -e "$COL_GREEN Starting to Compile FREERADIUS  ...  (Press CTRL+C to stop any time) $COL_RESET"
sleep 3

cd /$temp
tar zxvf freeradius-server-2.2.0-dma-patch-2.tar.gz
cd /$temp/freeradius-server-2.2.0/

### Now proceed with the compilation of FREERAIDUS , applicable for all
./configure
make
make install
ldconfig
echo -e "$COL_GREEN Starting FREERADIUS by radiusd -xx coommand & start radius service.  (Press CTRL+C to stop any time) $COL_RESET"
radiusd -xx
service radiusd start
sleep 3

# ================================================================
# Creating MySQL databases with MySQL command line tool . . . [JZ]
# ================================================================
# ** FROM CLI ** . . . [JZ]
echo -e "$COL_GREEN Starting MYSQLD servuce to create Radius Manager Database.  (Press CTRL+C to stop any time) $COL_RESET"
echo -e "$COL_GREEN MYSQL password is set to   'zaib1234'  $COL_RESET"
service mysqld start
mysqladmin -u root password 'zaib1234'
echo .
echo -e "$COL_GREEN adding RADIUS user & DB in MYSQL  .  (Press CTRL+C to stop any time) $COL_RESET"
mysql -u root -p$sqlpass -e "create database radius";
mysql -u root -p$sqlpass -e "create database conntrack";
mysql -u root -p$sqlpass -e "CREATE USER '$myusr_rad'@'$radhost' IDENTIFIED BY '$mypsw_radius';"
mysql -u root -p$sqlpass -e "CREATE USER '$myusr_cts'@'$radhost' IDENTIFIED BY '$mypsw_cts';"
mysql -u root -p$sqlpass -e "GRANT ALL ON radius.* TO radius@$radhost;"
mysql -u root -p$sqlpass -e "GRANT ALL ON conntrack.* TO conntrack@$radhost;"

# UNTAR Copy WEB content

echo "$COL_GREEN Copying Radius Manager WEB content to $wwwpath/radiusmanager $COL_RESET"
cd /$temp
tar zxvf radiusmanager-4.1.0.tgz
mkdir $wwwpath/radiusmanager
cp -fr /$temp/radiusmanager-4.1.0/www/radiusmanager $wwwpath
sleep 3

# rename .dist files

mv $wwwpath/radiusmanager/config/paypal_cfg.php.dist $wwwpath/radiusmanager/config/paypal_cfg.php
mv $wwwpath/radiusmanager/config/netcash_cfg.php.dist $wwwpath/radiusmanager/config/netcash_cfg.php
mv $wwwpath/radiusmanager/config/authorizenet_cfg.php.dist $wwwpath/radiusmanager/config/authorizenet_cfg.php
mv $wwwpath/radiusmanager/config/dps_cfg.php.dist $wwwpath/radiusmanager/config/dps_cfg.php
mv $wwwpath/radiusmanager/config/2co_cfg.php.dist $wwwpath/radiusmanager/config/2co_cfg.php
mv $wwwpath/radiusmanager/config/payfast_cfg.php.dist $wwwpath/radiusmanager/config/payfast_cfg.php

# set ownership and permissions

chown $httpusr $wwwpath/radiusmanager/config
chown $httpusr $wwwpath/radiusmanager/config/system_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/paypal_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/netcash_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/authorizenet_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/dps_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/2co_cfg.php
chown $httpusr $wwwpath/radiusmanager/config/payfast_cfg.php
mkdir -p $wwwpath/radiusmanager/tmpimages
chown $httpusr $wwwpath/radiusmanager/tmpimages
chown $httpusr $wwwpath/radiusmanager/tftpboot
chmod 600 $wwwpath/radiusmanager/config/system_cfg.php
chmod 600 $wwwpath/radiusmanager/config/paypal_cfg.php
chmod 600 $wwwpath/radiusmanager/config/netcash_cfg.php
chmod 600 $wwwpath/radiusmanager/config/authorizenet_cfg.php
chmod 600 $wwwpath/radiusmanager/config/dps_cfg.php
chmod 600 $wwwpath/radiusmanager/config/2co_cfg.php
chmod 600 $wwwpath/radiusmanager/config/payfast_cfg.php
chmod 644 $wwwpath/radiusmanager/config/docsis_keyfile
chmod 644 $wwwpath/radiusmanager/config/docsis_template

# chmod and copy binaries
cd /$temp/radiusmanager-4.1.0/
echo "Copying binaries to /usr/local/bin"
chmod 755 bin/rm*
cp bin/rm* /usr/local/bin

echo "Copying rootexec to /usr/local/sbin"
cp bin/rootexec /usr/local/sbin
chmod 4755 /usr/local/sbin/rootexec

# chmod and copy radiusmanager.cfg

echo "Copying radiusmanager.cfg to /etc"
cp etc/radiusmanager.cfg /etc
chown $radusr /etc/radiusmanager.cfg
chmod 600 /etc/radiusmanager.cfg

# create Tables

echo -e "$COL_GREEN Creating MYSQL Table $COL_RESET"
mysql -h $radhost -u $myusr_rad -p$mypsw_radius radius < sql/radius.sql
mysql -h $radhost -u $myusr_cts -p$mypsw_cts conntrack < sql/conntrack.sql

# create rmpoller service
echo "Enabling rmpoller service at boot time"
cp rc.d/rmpoller /etc/init.d
chown root.root /etc/init.d/rmpoller
chmod 755 /etc/init.d/rmpoller
chkconfig --add rmpoller

# create rmconntrack service
echo "Enabling rmconntrack service at boot time"
cp rc.d/rmconntrack /etc/init.d
chown root.root /etc/init.d/rmconntrack
chmod 755 /etc/init.d/rmconntrack
chkconfig --add rmconntrack

# copy radiusd init script

echo "$COL_GREEN Enabling radiusd service at boot time $COL_RESET"
chmod 755 rc.d/redhat/radiusd
cp rc.d/redhat/radiusd /etc/init.d
chkconfig --add radiusd

# copy logrotate script
echo "Copying logrotate script"
cp etc/logrotate.d/radiusd /etc/logrotate.d/radiusd

# copy cron job script
echo "$COL_GREEN Copying cronjob script $COL_RESET"
cp etc/cron/radiusmanager /etc/cron.d/radiusmanager
chmod 644 /etc/cron.d/radiusmanager

# comment out the old style cron job
sed -i 's/02\ 0\ \*\ \*\ \*\ root\ \/usr\/bin\/php/#2\ 0\ \*\ \*\ \*\ root\ \/usr\/bin\/php/g' /etc/crontab

# set permission on raddb files
echo "$COL_GREEN Setting permission on raddb files $COL_RESET"
chown $httpusr /usr/local/etc/raddb
chown $httpusr /usr/local/etc/raddb/clients.conf
sleep 3

echo -e "$COL_GREEN Re-Starting Apache2, Radius Service & add them in startup... $COL_RESET"
service httpd restart
chkconfig --add mysqld
chkconfig --add httpd
chkconfig --add radiusd
chkconfig mysqld on
chkconfig httpd on
chkconfig radiusd on

cp /temp/lic.txt $wwwpath/radiusmanager
cp /temp/mod.txt $wwwpath/radiusmanager

echo .
echo .
echo .
echo .
echo .
echo -e "$COL_GREEN All Done. Kindly RESTART the system one time to maek sure everything is ok on reboot."
echo -e "Dont forget to upload the correct License files for your valid MAC address in /var/www/html/radiusmanager folder"
echo -e "Please access ADMIN panel via http://yourip/radiusmanager/admin.php $COL_RESET"
echo -e "DMASOFTLAB RM Installation script modified for CENTOS by $COL_RED SYED JAHANZAIB / aacable@hotmail.com $COL_RESET"

 

Save & Exit …


 

 

Now execute the script by

/rm-centos-32bit.sh

 

After the script ends, do make sure that you don’t see any Error’s  on the installation. Thats why I have added 3 Seconds delay in few section so you can view the results.

Now UPLOAD your valid License into /var/www/radiusmanager OTEHRWISE YOU WILL SEE BLANK PAGE ON ACCESSING RM ADMIN PANEL.

.

Now try to access RM ACP via browser by

http://yourip/radiusmanager/admin.php

.

If you get blank page, then use tail command to view Apache error log , example

tail -f /var/log/apache2/error.log

.

OR more specifically

tail -f /var/log/apache2/error.log |grep lic

.

If you see any error like showed in the image below . . . (for not valid license), then make sure your license files are valid for right version and with the right mac address interface.

.

rm-lic-error.

.

.

To deploy Radius Manager Patch 5 (4.1.5) , Kindly see the following Link

https://aacable.wordpress.com/2014/02/28/radius-manager-4-1-patch5-deployment/

I will add few snapshots and video as soon as I get some time.

.

.

.

Regard’s
Syed Jahanzaib

February 20, 2015

LEGACY OF CENTOS ! Continued …

Filed under: Linux Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 3:14 PM

centos6

Some personnel notes /references for CENTOS 6.x command line.


CENTOS  6.6  <32 bit>   DOWNLOAD LINK   …

http://mirrors.nayatel.com/centos/6.6/isos/i386/CentOS-6.6-i386-minimal.iso


Kill all DEFUNCT processes automatically

ps -ef | grep defunct | grep -v grep | cut -b8-20 | xargs kill -9

Enable SNMP in CENTOS , tested with 6.x

To enable SNMP in CENTOS quickly, copy paste following. it will add ‘public’ community as Read Only.


yum -y install net-snmp net-snmp-utils
> /etc/snmp/snmpd.conf
# Add following
echo "rocommunity public" > /etc/snmp/snmpd.conf
echo "syslocation "Karachi NOC, Paksitan" >> /etc/snmp/snmpd.conf
echo "syscontact  aacable_at_hotmail_com" >> /etc/snmp/snmpd.conf
service snmpd restart
chkconfig snmpd on
snmpwalk -v1 -c public 127.0.0.1

Configuring Static IP address in CENTOS [6.x]

If you want to configure static IP address in CENTOS, then edit following file

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Use following as sample

DEVICE=eth0
HWADDR=00:0C:29:73:0A:5A
TYPE=Ethernet
UUID=d34531a1-3c76-4527-8e50-448857568abc
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.10.2  # IP Address you want to fix
NETMAST=255.255.255.0   # Netmask as per network
# or if netmask dont work, use PREFIX=24 (change 24 as per network like /8 or whatever)
GATEWAY=192.168.10.1   # Your Router/DLS Gateway
DNS1=8.8.8.8   # Your ISP DNS or standard Google dns

Note: set following for sure

NM_CONTROLLED=no
BOOTPROTO=static
ONBOOT=yes

Save & Exit, and restart the network service or interface to take effect

service network restart

OR

ifdown eth0
ifup eth0

Issue IFCONFIG command to verify the result.

centos7 is a mess 😦 so better to stick with 6


Change/Clone MAC address

To change mac address in CENTOS , edit your required ethernet network config file , Example …

nano /etc/sysconfig/network-scripts/ifcfg-eth0

here you will see HWADDR line with current mac address, dont modify it, just add another line above it, like following

MACADDR=00:11:11:11:11:11          < Add this line with your required mac address
HWADDR=00:22:22:22:22:22       < Your current mac address

An example of full cfg file for eth0

DEVICE=eth0
MACADDR=00:11:11:11:11:11
HWADDR=00:22:22:22:22:22
TYPE=Ethernet
UUID=d34531a1-3c76-4527-8e50-448857568abc
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.1.2
NETMAST=255.255.255.0
GATEWAY=192.168.1.1
DNS1=8.8.8.8

Save & Exit, and restart the network service or interface to take effect

service network restart

OR

ifdown eth0
ifup eth0

Issue IFCONFIG command to verify the result.

OR

use the sed shortcut 😉

sed -i -e ‘1iHere is my new top line\’ filename


 

Disabling CENTOS default firewall ‘SELINUX’

To disable SELINUX temporary for the current session, use following…

echo 0 > /selinux/enforce

 

To disable builtin firewall permanently in centos, edit following

vi /etc/selinux/config

and change the

SELINUX=enforcing

to

SELINUX=disabled

Save & Exit & reboot to take effect.

Or use the SED shortcut to replace the string within cli 😉 # Zaib

sed -i "s/=enforcing/=disabled/g" /etc/selinux/config


Disable IPTABLES

To disable iptables services

service iptables stop
chkconfig iptables off

You can check the status with following

service iptables status

and you can also use following command to clear the current iptables (for the current session only)

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

 

Some must-have tools

yum install -y nano wget curl net-tools lsof

SERVICES Related

service --status-all

To disable service on startup , use

chkconfig httpd off

To always start any service on boot, use

chkconfig --add httpd on 

Excluding slow mirrors

When I was installing some packages in Centos and the YUm was doing it at painfully slow speed, I figured the mirror (indian and bangladeshi mirror sites) were very slow. So I disabled two mirrors domain it was selecting in start which were .in and .bd

use following file

nano /etc/yum/pluginconf.d/fastestmirror.conf

and add the slow mirror (to be excluded) like

exclude=.in, .bd, xyz.com

or use the cli command to add it in the file

echo "exclude=.gov, .in, .vn, mirror-fpt-telecom.fpt.net" >> //etc/yum/pluginconf.d/fastestmirror.conf

How to Check CentOS Version / kernel Number

Centos Version
cat /etc/centos-release
32bit/64bit check
uname -a

Howto Disable IPV6 in CENTOS  [Tested on 6.x versions]

First edit sysctl.conf file in any editor , e.g:

nano /etc/sysctl.conf

and add following lines in the end

# IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

OR
Use following to add them directly to file using echo command

echo >> /etc/sysctl.conf  net.ipv6.conf.all.disable_ipv6 = 1
echo >> /etc/sysctl.conf net.ipv6.conf.default.disable_ipv6 = 1
echo >> /etc/sysctl.conf net.ipv6.conf.lo.disable_ipv6 = 1

Save and Exit and execute following to activate changes 🙂

sysctl -p

 

Howto install PHPMYADMIN in centos 6.x

To install PHPMYAMDIN which is a good tool to manage your mysql via GUI in centos, use following…

 cd /tmp
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

yum search phpmyadmin
yum -y install phpmyadmin

Now You need to edit /etc/httpd/conf.d/phpMyAdmin.conf file, enter:

vi /etc/httpd/conf.d/phpMyAdmin.conf

Replace your ip in

Require ip 127.0.0.1

Allow from 127.0.0.1

Change 127.0.0.1 to your management pc ip from where you want to access phpmyadmin

after saving, restart the httpd service.

service httpd restart

 

Or use the SED shortcut to replace the string within cli 😉 # Zaib

sed -i "s/127.0.0.1/10.0.0.1/g" /etc/selinux/config

[replace 10.0.0.1 with your management pc ip]

 


Solving WGET hangs/sleep problem when internet link break or with poor connectivity

wget --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0

Adding Virtual NIC

Quick and dirty way (it will add the nic temporary for the session, you can also add these commands in startup as well.

ip link add link eth0 address 11:22:33:44:55:66 eth0.10 type macvlan
ifconfig eth0.1 up
ifconfig eth0.1 10.0.0.2

Adding Virtual NIC  permanently.

http://linuxconfig.org/configuring-virtual-network-interfaces-in-linux

 


Adding simple VPN Server (in view f connecting radius with nas)

https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp

On CentOS 6 x64:

rpm -i http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
yum -y install pptpd

Now you should edit /etc/pptpd.conf and add the following lines:

localip 10.0.0.1
remoteip 10.0.0.100-200

Where localip is IP address of your server and remoteip are IPs that will be assigned to clients that connect to it.

Next, you should setup authentication for PPTP by adding users and passwords. Simply add them to /etc/ppp/chap-secrets :
(example of id pass)

zaib    pptdp    zaibpass    *
service pptpd restart

Add PPPOE dialer setup in centos 6.x [Nov,2017]

to add pppoe dialer in centos, use

yum install ppp rp-pppoe

This will install few additional commands that you can use to manage example. to add dialer via setup use

pppo-setup

> To start pppoe dialer use,

pppoe-start

> to stop already dialed pppoe dialer use

pppoe-stop

use ppoe-status command to query the status

ZAIB


Adding Static Routes in separate file [Nov,2017]

Note: 192.168.100.2 is Gateway

[root@gtradius network-scripts]# cat route-eth0
192.168.0.0/16 via 192.168.100.2 dev eth0
10.0.0.0/8 via 192.168.100.2 dev eth0

Adding IP configuration file for newly added interface

Example: eth0 is already running, now you have added new interface eth1 but there is no file present in /etc/sysconfig/network-scripts

Copy file from previous running file like,

cp ifcfg-eth0 ifcfg-eth1

Now edit and make necessary changes example file is attached below …


[root@gtradius network-scripts]# cat ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED="no"
ONBOOT=yes
# [VMware commented] HWADDR=18:A9:05:32:45:1F # REMOVE HWADDR
TYPE=Ethernet
BOOTPROTO=none
IPADDR=1.1.1.2
PREFIX=29
GATEWAY=1.1.1.1
DNS1=8.8.8.8
#DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth1"
#UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 # REMOVE UUID


To be continued …

SYED.JAHANZAIB

February 16, 2015

Expanding Possibilities / Howto add 3rd party packages in Mikrotik KVM/Metarouter!

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 2:22 PM

As asked by few friends, i thoughts its a good idea to share it with all.
Last Update: 5th March, 2015, 08:43 am

 

1- Whatis Metarouter
2- Howto install Metarouter in Mikrotik Routerboard
3- Howto install APACHE web server in METAROUTER to host your web files.
4- Howto install ASTERISK 1.8 with GUI [Feb 2015]
5- Howto setup NTP to solve DATE Time synch issue [5th March, 2015 8:43am]
6- Howto disable firewall [17th Mrach, 2015 13:00 hrs]

1- What is METAROUTER?

as defined by Greg

Metarouter is a way to have logical routers running on your existing routerboard. In essence, you create a virtual router on your RB, then you assign some interfaces to it. You then can hand this virtual router off to a customer hand allow them to administer it without effecting any of the core functions necessary on the device. .”

Also on METAROUTER you can use openwrt image to host tiny linux and its few apps in it. like APACHE, asterisk etc. web server was in highly demand by local cable operator who wanted to host NON payment/reminder page to be shown at there clients.

Currently MetaRouter can be used on

  • RB4xx, RB7xx series, RB900 series, RB2011.xx boards
  • Listed PPC boards: RB1000, RB1100, RB1100AH and RB800.

 

Hardware Software Used in this guide:

Routerboard Model = RB2011UiAS-2HnD
Mikrotik ROS version = 6.27

2- Howto install METAROUTER in Mikrotik Routerboard

First download OPENWRT image into mikrotik. Open New Terminal, and issue following command …

/tool fetch url=http://openwrt.wk.cz/trunk/mr-mips/openwrt-mr-mips-rootfs-31411-basic.tar.gz

Now import the openwrt downloaded in above step,

As showed in the mage below …

2- Import Image

Now we need to add virtual network interface into this machine. We also have to provide valid network configuration with internet access so that it can download required software later. For this demonstration purposes I added manual IP , but you can use virtual bridge and use your mikrotik DHCP serve to allow internet access to the metarouter machine or whatever you prefer to establish network connectivity.

In the below pic, I selected ETHER2 which is LAN interface of mikrotik host.

add interface

 

.

Now double click on newly created machine and select CONSOLE and press enter key few times to get command prompt.

6- Open Metarouter CONSOLE zaib

.

Edit the network configuration file.

vi /etc/config/network

Press “i” to enter edit mode.

and configure the network as per your local need.

 

 

7- edit interface settings.

Add DNS server entry for resolving internet hosts …

vi /etc/resolv.conf

dns

 

After setting network configuration, save and exit. enable/restart the network services so changes can take effect.

/etc/init.d/network enable
/etc/init.d/network restart

Now try to ping any internet site to verify the connectivity. On successful attempt, you should get reply.

.

8- ping successfull

.

 

3- Howto install APACHE web server in METAROUTER to host your files.

Install APACHE web server with OPKG (like yum or apt-get)

Edit the opkg file

vi /etc/opkg.conf

Change a string in first line, as it should be like below one …

src/gz snapshots http://openwrt.wk.cz/trunk/mr-mips/packages

Now update opkg (like you do in ubuntu to update apt-get)

opkg update
opkg install apache

its better if you restart your mikrotik routerboard with reboot command so that all changes should take effect properly otherwise you MAY see few errors on accessing apache.

Now start apache service

apachctl start

(or restart as required)

Access via browser

10-apache works

html index files are placed at

/usr/share/htdocs


4- Howto install ASTERISK 1.8 with GUI

Make metarouter machine with following image,and setup proper networking.

/tool fetch url=http://ms1.nserver.us/openwrt.wk.cz/kamikaze/openwrt-mr-mips-rootfs-18961.tar.gz

Edit /etc/opkg.conf and use following repository

src/gz snapshots http://ms1.nserver.us/openwrt.wk.cz/kamikaze/packages/mr-mips
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /jffs

Save and exit. then update opkg , install asterisk , and start it.

opkg update
opkg install asterisk18 asterisk18-codec-alaw asterisk18-chan-iax2 asterisk-gui
/etc/init.d/asterisk enable
/etc/init.d/asterisk start

Upon successful start you can see following ports (5038 and 8088 started) as showed below …

root@metarouter:~# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:5038            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8088            0.0.0.0:*               LISTEN

Now you can access asterisk GUI via

http://ipofmetarouter:8088

Default ID Password is

Id = admin
Password = ast-owrt

You can change the password and other stuff in /etc/asterisk/manager.conf

Note: in RB750 , client faced issue that after rebooting / power on off the host router, web page of asterisk doesnt work and time out. on RB2011 there was no such issue with same image.


5- Howto setup NTP to solve DATE Time synch issue

Mikrotik itself and most hardware devices supported by OpenWrt do not have a hardware clock.Therefore use NTP package to solve the date time synch issue,

opkg update
opkg install ntpd
/etc/init.d/sysntpd disable
/etc/init.d/ntpd enable
/etc/init.d/ntpd start

# To view if NTP is started properly or not
netstat -l | grep ntp

Note: It will take some after reboot to synch time with the internet, make sure internet is operational in metarouter.


 6- Howto disable firewall [17th Mrach, 2015 13:00 hrs]

/etc/init.d/firewall stop
/etc/init.d/firewall disable
reboot

 




To be continued ….

Regard’s
Syed Jahanzaib

February 15, 2015

Active Directory Backup/Restore , Troubleshooting – Short Notes


active directory logo.png

Ok so far I have experienced following,

  • I tried a lot but failed to restore Active Directory Systemstate only backup to different dissimilar hardware, Windows doesn’t boot after restoration. (in the past when we had single DC and some components failure occurred & as a last resort Systemstate backup restoration worked , but on the same DC)
  • If we have Full backup via wbadmin/server backup, then we can do bare metal recovery of full system to OTHER dissimilar hardware machine , either via USB/Network share, and Active directory worked fine with all functions. I tested it few times via USB & network, both worked perfect & all AD components / functions working fine along with test user logging successfull with GP applied as well.
  • Restoration via backup set should be the last option, It’s better to plan multiple Dc’s deployment at various location & if any DC goes down, redo OS installation and promote it as DC via other DC’s replication.

1# Backup Active Directory – System State in windows 2008/2016

Following is an small guide for ‘Backup and restore system state in windows 2008/2016

# BACKUP

  • You cannot store backup on same partition like C: / You must backup the AD in second partition or other drive. (It must be local drive, or network shared folder, but not USB)
  • First install the backup server features from the Server Manager or via CLI like Open CMD, type powershell​ and enter
    Import Server-Manager
    Add-WindowsFeature Windows-Server-Backup
  • After this Open command prompt and type
wbadmin start systemstatebackup -backuptarget:d:

and press enter. It will ask for confirmation, Type Y to continue & it will start backup your current AD in D: drive

Note: You can use a different backup target of your choosing, it must be a local drive of your server.

When the backup finishes running, you should get a message that the backup completed successfully. Goto your backup drive and you will find folder name WindowsImageBackup with backup data.


2# RESTORE Active Directory in Windows 2016 server (Authoritative Mode) on same machine

Scenario: We have single Domain controller running , daily Systemstate backup is done by WBADMIN utility on D: drive. Accidentally components of AD have been damaged or multiple items from the AD have been deleted by mistake and we are unable to restore them. Since the windows was running OK & only the few AD parts were having trouble therefore we decided to restore via Systemstate backup,

To restore systemstate backup on Same machine, follow below

  • Boot in DSRM mode,
  • Open command prompt , Get backup version number so that you may restore correct version of backup, use the following command to get the version number

wbadmin get versions -backupTarget:D:

# Make sure your backups are in folder structure  like d:\windowsimagebackup\servername – and so on

  • Write down the version identifier you need to use.
  • To restore AD in AUTHORITATIVE mode, use the following command
wbadmin start systemstaterecovery -backuptarget:d: -version:04/04/2013-15:00 –authsysvol

 

Note:

  1. Change the -version: to match your backup number that noted from wbadmin get version command
  2. Change -backuptarget:d: to match the partition where backup folders are residing.
  3. – To restore AD in non-authoritative mode, remove the –authsysvol syntax at the end of the command

Once the restore is completed, system will reboot automatically. Once booted, you will see all your AD settings restored.

The NETLOGON share is not present after you install Active Directory

After system state restore , if you get error , You may want to tweak the registry,

Read this

https://support.microsoft.com/en-us/help/947022/the-netlogon-share-is-not-present-after-you-install-active-directory-d

And this one too

http://www.virtuallyimpossible.co.uk/when-good-domain-controllers-go-bad/


3# Bare Metal Recovery via ‘WBADMIN’ to different hardware using “FULL BACKUP recovery set”

Updated: 28-NOV-2018

Scenario:

We have 2 Domain controllers & both hardware machines have gone faulty. SystemState & FULL backup is being done by WBADMIN utility on a daily basis , & we have the FULL backup set available in external USB (F:\WindowsImageBackup\DC01)

Now we need to restore Active Directory in a new machine. I performed this DR in my LAB & was able to fully recovery the Active Directory to new machine. Previous DC FULL Backup is available in USB (F:\WindowsImageBackup\DC01)  which is attached to this new system.

  • Boot from Server 2016 GUI DVD (or USB)
  • On first welcome screen, Select NEXT
  • On Second Screen, select Repair Your Computer
  • on Choose an option screen, select Troubleshoot,
  • On Advanced Option screen, select Command Prompt
  • On CMD screen, first check what USB drive have your backup folders (in my case its F:)

You can check volume letters by DISKPART tool,

(some reference below which I used, disk and volume was 3 in my case)
diskpart > list disk > select disk 3 > list volume
(to change drive letter if you require, use > assign letter=F

  • Now check for available backup version, issue following
wbadmin get versions -backupTarget:f:
  • Once you get the version identifier , restore it by using following cmd
wbadmin start sysrecovery -version:11/26/2018-22:00 -backuptarget:f: -machine:DC01 –authsysvol -recreateDisks -restoreAllVolume

Now you have to do Yes in all questions it asks for, once all done system will reboot , &  you will be flying with the AD again 🙂

 


4# Bare-metal Recovery via WBADMIN Restore in new vm using network share [Updated 2-OCT-2018]

Scenerio:

  • Domain Controller Name: DC01
  • Full Backup Set is available on a network location \FILESERVER\WindowsImageBackup\DC01

If you have taken FULL backup of your server (EXAMPLE DC01) using WBADMIN/ Server Manager Backup wizard and stored in a network location, we can restore it to the new vm [Bare-metal Recovery]

Steps:

  • Create a new VM with same settings as old vm [DC01].
  • Now boot this vm via windows ISO (in my example it was 2016 gui edition) , and select REPAIR ,
  • Open CMD, and issue
    start /w wpeinit
  • Test connectivity by
net use \\FILESERVER\WindowsImageBackup\DC01 /user:DOMAIN\ADMIN
  • Now get backup version from the shared folder
wbadmin get versions -backupTarget:\\FILESERVER\WindowsImageBackup\DC01

If all goes correct, then it will show you the backup versions, note down the version you want to restore and use it in below CMD …

wbadmin start sysrecovery -version:10/02/2018-22:05 -backuptarget:\\FILESERVER\WindowsImageBackup\DC01 -machine:DC01 -recreateDisks -restoreAllVolumes –authsysvol

Once it shows successfull , then it may ask for reboot, do so ..


5# How to Protect/Unprotect Active Directory Objects from Accident Deletion

Enable Protection

1#- Enable protection on all active directory users

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

2# Enable protection any Organizational Unit where the setting is not already enabled

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

3# Enable protection for groups

Get-ADObject -filter {ObjectClass -eq "user" -or ObjectClass -eq "group"} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Disable Protection

To remove protection, just change $true to $false in above commands

List Users with bad password count

Get-ADUser -filter * -Properties badPwdCount | where {$_.badpwdcount -gt 1} | Select -Property Name,badpwdcount | sort -Property name

6# FSMO roles transfer by powershell cmd

Its now easier to move FSMO roles with Powershell from the 2012/2016 machine.

1) Login to any DC and open powershell as administrator
2) Execute following command

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole 0,1,2,3,4

DC02 is the server on which you want to transfer all fsmo roles, example dc2 is our second DC and we want to move roles from the DC1 to DC2. so we will simply add Target DC which is in our case is DC2. it will become PDC , just for the sake of conversation we are using word PDC

3) Select yes to all 5 roles
4) run netdom query FSMO to check the roles


7# Active Directory Health Check

Open CMD as RUN as ADMINISTRATOR, & use following commands to check active directory domain health ,

  • DCDiag /Test:DNS
  • dcdiag /s:DC1 /v
  • repadmin /showrepl
  • repadmin /replsummary
  • repadmin /showrepl SERVERNAME
  • repadmin /showrepl /errorsonly
  • repadmin /queue
  • repadmin /showoutcalls *
  • repadmin /bridgeheads * /verbose
  • repadmin /istg * /verbose

Force Sycn /Replication

The following command will Force / push immediate replication to all domain controllers in the Domain:

  • repadmin /syncall /AdeP
  • OR
  • Repadmin /syncall DC_name /APed

Explanation:

  • repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)

Test FRS / DFSR repolication

  • dcdiag /test:frsevent (for FRS)
  • dcdiag /test:dfsrevent (for DFSR)

For reference , use following

http://kpytko.pl/active-directory-domain-services/active-directory-and-sysvol-replication-status/

Check policy match on all domains

  • gpotool /verbose

to generate group p[policy acquire on client side, use this on client computer

Goto Start/Run

  • RSoP.msc

Check from client workstation, Test

nltest /sc_query:MYDOMAIN

AD SystemStat Backup Script with Email

I am using BLAT email tool  for sending email result.

@echo off
::::::::::::::::::::::::::::::::::::::::::
:: DC01 DC BACKUP SCRIPT ::
::::::::::::::::::::::::::::::::::::::::::
set srvname=DC01
set description=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set jobname=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set attachment=c:\backup\ad_backup.log
set mail-subject=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-body=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-to=aacableAThotmailDOTcom
set backuppath=D:\WindowsImageBackup\DC01
set footer=DC+AD Automated Backup and Email Logs Script Created by ZAIB (Pvt) Ltd. IS Dept. / Syed Jahanzaib

FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Second /Format:table ^| findstr /r "."') DO (
set Milisecond=%time:~9,2%
set Day=%%A
set Hour=%%B
set Minute=%%C
set Second=%%D
)
set /a Start=%Day%*8640000+%Hour%*360000+%Minute%*6000+%Second%*100+%Milisecond%

:: PUT COMMANDS HERE
rd /q %attachment%
net use T: \\FILE_SERVER\BKP_FOLDER
echo Now starting AD backup using wbadmin command ...
wbadmin start systemstatebackup -backuptarget:d: -quiet
echo
echo ***** NOW COPYING DC BACKUP DATA TO T:\DC01\AD
echo **************************************************
xcopy.exe D:\WindowsImageBackup\*.* T:\DC01\ad /S /D /C /Y
echo "Deleting OLD Backup Folder older then 10 days - - - - - -- - - - - - - - -- - - - - -"
PowerShell -Command "& Get-ChildItem "T:\DC01\AD\DC01" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"
PowerShell -Command "& Get-ChildItem "D:\WindowsImageBackup" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"
::
::

FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Second /Format:table ^| findstr /r "."') DO (
set Day=%%A
set Hour=%%B
set Minute=%%C
set Second=%%D
)
set Milisecond=%time:~9,2%
set /a End=%Day%*8640000+%Hour%*360000+%Minute%*6000+%Second%*100+%Milisecond%
set /a Diff=%End%-%Start%
set /a DiffMS=%Diff%%%100
set /a Diff=(%Diff%-%DiffMS%)/100
set /a DiffSec=%Diff%%%60
set /a Diff=(%Diff%-%Diff%%%60)/60
set /a DiffMin=%Diff%%%60
set /a Diff=(%Diff%-%Diff%%%60)/60
set /a DiffHrs=%Diff%

:: format with leading zeroes
if %DiffMS% LSS 10 set DiffMS=0%DiffMS!%
if %DiffSec% LSS 10 set DiffMS=0%DiffSec%
if %DiffMin% LSS 10 set DiffMS=0%DiffMin%
if %DiffHrs% LSS 10 set DiffMS=0%DiffHrs%

echo The Domain Controller DC01 Backup Report > %attachment%
echo.>> %attachment%
echo The Backup Script took %DiffHrs% Hours, %DiffMin% Mnts, %DiffSec% Secs >> %attachment%
echo.>> %attachment%
echo List of Folders >> %attachment%
echo.>> %attachment%
FORFILES /p %backuppath% /S /D +0 /C "cmd /c IF @isdir == TRUE echo @path" >> %attachment%
echo.>> %attachment%
echo %footer% >> %attachment%
c:\blat\blat.exe %attachment% -to %mail-to% -i %srvname% -s "%mail-subject%"


Event ID 4771 : Kerberos Pre-Authentication Failed

When troubleshooting AD account lockout issues you can search thru Domain Controller security logs for audit failures and event ID 4771.

These event details will include a result code which will specify exactly what the issue is. Most common are …

  • 0x12 – client credentials have been revoked (disabled, expired, locked, etc)
  • 0x17 – password has expired
  • 0x18 – pre-authentication was invalid (bad password)

in my particular case I modify the Kereberos time in GPO , default maximum tolerance time was 5 minutes, I extend it to 30 minutes. as showed below …

  1. Open “Group Policy Management”.
  2. Navigate to “Group Policy Objects” in the Domain being reviewed (Forest >> Domains >> Domain).
  3. Right click on the “Default Domain Policy”, select “Edit”.
  4. Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.

“Maximum tolerance for computer clock synchronization” , set this to higher value like 30 minutes.


Event ID 4 :  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server PC01$. The target name used was PC01$

To sort this, Frankly I’d consider disabling machine account password changes on the domain altogether. MS recommends not doing this because of the relaxed security it engenders. but if security is not much concern then try it.

In Default Domain Group Policy

Computer Configuration | Policies | Windows Settings | Admin Templates | Security Options | Domain Member

Play with following …

  • Domain member: Disable machine account password changes =  Enabled

OR increase the password age time to 999 days , [2.7 years approx]

  • Domain member: Maximum machine account password age  = 999 days

 


Check user group membership etc

whoami /groups

or GPResult

gpresult /r

Reset all Kerberos tickets of the user with this command:

klist purge


Regard’s
Syed Jahanzaib

%d bloggers like this: