пятница, 20 апреля 2018 г.

Change VmWare SCSI controller type in VM Centos 7 VM

Source

In RHEL 7.x this is a bit different as modprobe.conf doesn't exist.
In my case I needed to change the controller for the root disk from Paravirtual to LSI Logic SAS. As the previous posts suggest, this needs to be done in two places, the regular disk and the RamDisk as both will need to boot with the new driver.
First, if possible, clone your machine, don't snapshot it. Whenever you are working with disks, it's best not to involve snapshots. You may not need to do this second step, I did it in the theory that the disk controller would initialize itself if introduced to the system through an additional disk, just like you'd do for Windows: Second step - Shut down your VM, Attach a 1 GB disk using the SCSI controller type you'd like to change your root disk to and bring the system back up to modprobe discover it. (You might be able to do this hot) Third step - run the following command to add the correct driver to the RamDisk (Remember in my case I was moving from the VMWare Paravirtual to the LSI Logic SAS driver. It's likely you are going the opposite way, but you just need to change the driver type: dracut -f -v --add-drivers mptsas
Other options for drivers are: mptspi mptscsih mptbase
After doing this, shut down and remove the 1 GB temporary disk. Change the controller for the root disk to whatever driver you just added to the ramdisk, and boot up the system.

вторник, 3 апреля 2018 г.

Creating Kerberos Keytab Files Compatible with Active Directory

Source

How to create a keytab file for a Kerberos user logging into Active Directory.  What's a keytab file?  It's basically a file that contains a table of user accounts, with an encrypted hash of the user's password.  Why have a keytab file?  Well, when you want a server process to automatically logon to Active Directory on startup, you have two options:  type the password (in clear text) into a config file somewhere, or store an encrypted hash of the password in a keytab file.  Which is safer?  Well, you can decide.  In any case, you'd better do a good job of protecting the file (be it a config file or a keytab).

Anyway, the accepted way to store a hashed password in Kerberos is to use a keytab file.  Now the file can be created using a number of utilities.  On a Windows machine, you can use ktpass.exe.  On Ubuntu Linux, you can use ktutil.



Before I demonstrate how to create the keytab, a word about encryption.  There are a number of encryption types used for hashing a password.  These include DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others.  Active Directory uses RC4-HMAC by default.  Back in Windows 2000, you could also use the DES types without any trouble, but since Windows 2003, only RC4-HMAC is supported, unless you make a registry change (to all of your domain controllers).  If you need to use DES for some reason, then refer to the Technet article at the bottom of the page.

Before attempting to create a keytab file, you'll need to know the user's kerberos principal name, in the form of username@MYDOMAIN.COM, and the user's password.

Creating a KeyTab on Windows (tested on Windows Server 2008 R2)
Open a command prompt and type the following command:


ktpass /princ username@MYDOMAIN.COM /pass password /ptype KRB5_NT_PRINCIPAL /out username.keytab
Creating a KeyTab on Ubuntu Linux (tested on Ubuntu 10.10 - Maverick Meerkat)
Open a terminal window and type the following commands:

ktutil
addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
- enter password for username -
wkt username.keytab
q

Testing the Keytab File
Now in order to test the keytab, you'll need a copy of kinit.  You can use the version that's on Ubuntu, or if on Windows, you can install the latest Java runtime from Sun (JRE).  In either case, you'll need to setup your /etc/krb5.conf file (on Linux) or c:\windows\krb5.ini (on Windows).  Either file should look something like this:

[libdefaults]
default_realm = MYDOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.COM = {
kdc = mydomain.com:88
admin_server = mydomain.com
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[login]
krb4_convert = true
krb4_get_tickets = false

Once you've got your Kerberos file setup, you can use kinit to test the keytab.  First, try to logon with your user account without using the keytab:

kinit username@MYDOMAIN.COM
- enter the password -

If that doesn't work, your krb5 file is wrong.  If it does work, now try the keytab file:

kinit username@MYDOMAIN.COM -k -t username.keytab

Now you should successfully authenticate without being prompted for a password.  Success!

More Information
If you need to use any other encryption Type than RC4-HMAC, then you'll need to tweak your AD domain controllers.  Please refer to the following TechNet article.