Author: Saba, Mitch

Disable All User Login Access

Posted on January 5, 2017 by Saba, Mitch

There are occasions when you want to make sure users can not log into a system. This can be due to a maintenance period or I have used it as part of the process for retiring a system. It is simple enough but I thought it worth documenting for prosperity.

# cd /{root of user home directory}
# ls -al | awk '{print $3}' | grep -v -e '^$' | grep -v {account exceptions} |while read a;do usermod -s /sbin/nologin $a;done;

To break down possibly the non-obvious part down:

grep -v -e '^$'

This removes any blank lines from the output. The rest should be self-explanatory, if it isn’t ask in the comments section.

Don’t forget to add your account to the exception list, and it is always a good idea to test the output first. To reverse the process change /sbin/nologin to /bin/bash.

MySql, phpMyAdmin user creation and grant errors

Posted on January 4, 2017January 4, 2017 by Saba, Mitch

Recently I got a report from a user that they could not create a database using phpMyAdmin. When I logged in and did some testing I began getting errors when I attempted to create a user, a database or grant privileges as root…

The root cause was a misalignment of the grants due to a missed step during a patch cycle (as we haven’t manually upgraded). Here is more about it and how I fixed the problem:

First doing some investigation…

# mysql -uroot -p
Server version: 5.5.52 MySQL Community Server (GPL) by Remi

mysql> SELECT version();
+-----------+
| version() |
+-----------+
| 5.5.52 |
+-----------+
1 row in set (0.00 sec)

mysql> SELECT column_name,ordinal_position FROM information_schema.columns WHERE table_schema='mysql' and table_name='user' and column_name='plugin';
Empty set (0.00 sec)

mysql> SELECT COUNT(1) column_count FROM information_schema.columns WHERE table_schema='mysql' AND table_name='user';
+--------------+
| column_count |
+--------------+
| 39 |
+--------------+
1 row in set (0.00 sec)

That last query should have the following numbers:

If you get 43, MySQL 5.6
If you get 42, MySQL 5.5
If you get 39, MySQL 5.1
If you get 37, MySQL 5.0

As you can see from the above output the numbers are not correct, as we are using version 5.5 and only had 39 column’s returned, instead of the expected 42. This means that the upgrade wasn’t completed. We can fix this with the following:

# mysql_upgrade -u root -p --upgrade-system-tables
Looking for 'mysql' as: mysql
The --upgrade-system-tables option was used, databases won't be touched.
Running 'mysql_fix_privilege_tables'...
OK

Rerunning the previous mysql queries we can see the changes:

# mysql -uroot -p
Server version: 5.5.52 MySQL Community Server (GPL) by Remi

mysql> SELECT version();
+-----------+
| version() |
+-----------+
| 5.5.52 |
+-----------+
1 row in set (0.00 sec)

mysql> SELECT column_name,ordinal_position FROM information_schema.columns WHERE table_schema='mysql' and table_name='user' and column_name='plugin';
+-------------+------------------+
| column_name | ordinal_position |
+-------------+------------------+
| plugin | 41 |
+-------------+------------------+
1 row in set (0.00 sec)

mysql> SELECT COUNT(1) column_count FROM information_schema.columns WHERE table_schema='mysql' AND table_name='user';
+--------------+
| column_count |
+--------------+
| 42 |
+--------------+
1 row in set (0.00 sec)

Now I can go back into the phpMyAdmin interface and everything is working again. Problem Solved.

Hope this helps, if it does say hello.

Yum Rollbacks

Posted on December 21, 2016 by Saba, Mitch

Very occasionally installing a package or updates with yum can have unexpected results. Fortunately yum provides the ability to roll back anything it installs. Here is an example of what these commands look like:

# yum history
Loaded plugins: package_upload, product-id, search-disabled-repos, security, subscription-manager
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
 11 | root <root> | 2016-12-16 13:20 | Install | 8 
 10 | root <root> | 2016-12-16 10:38 | Install | 1 
 9 | root <root> | 2016-12-16 08:05 | Install | 1 
 8 | root <root> | 2016-12-15 15:37 | Install | 1 
 7 | root <root> | 2016-12-15 13:29 | Install | 10 
 6 | root <root> | 2016-12-15 12:55 | Install | 5 <
 5 | root <root> | 2016-12-08 14:51 | I, O, U | 381 >E
 4 | root <root> | 2016-12-08 14:45 | Install | 4 
 3 | root <root> | 2016-12-08 14:12 | I, U | 32 EE
 2 | root <root> | 2016-12-08 14:11 | Install | 1 
 1 | System <unset> | 2016-12-08 13:50 | Install | 644

To reverse any of these yum actions simply issue the command:

# yum history undo "#"

Where the trailing “#” is the ID number from the yum history output.

Good luck.

Subnet Cheat Sheet

Posted on December 14, 2016 by Saba, Mitch

Subnet Mask Cheat Sheet

Posted here because 95% of the networks are the same and when I encounter a different one I have to think about it…not any more!

See RFC 1878 for more details & information.

	Addresses	Hosts	Netmask	Amount of a Class C
/30	4	2	255.255.255.252	1/64
/29	8	6	255.255.255.248	1/32
/28	16	14	255.255.255.240	1/16
/27	32	30	255.255.255.224	1/8
/26	64	62	255.255.255.192	1/4
/25	128	126	255.255.255.128	1/2
/24	256	254	255.255.255.0	1
/23	512	510	255.255.254.0	2
/22	1024	1022	255.255.252.0	4
/21	2048	2046	255.255.248.0	8
/20	4096	4094	255.255.240.0	16
/19	8192	8190	255.255.224.0	32
/18	16384	16382	255.255.192.0	64
/17	32768	32766	255.255.128.0	128
/16	65536	65534	255.255.0.0	256

Network Interface Name in rhel7

Posted on December 7, 2016December 9, 2016 by Saba, Mitch

Anyone who has installed rhel7 knows how annoying it is to check you network and not see eth0. Perhaps it is just me then… Regardless here are instructions on how to change it:

First you need to know the name of the network adapter in use, you can look in /etc/sysconfig/network-scripts/ifcfg-eno##### or run this command:

# ip addr show

Now you need to do the following:

vim /etc/sysconfig/grub

add “net.ifnames=0 biosdevname=0″ to the end of the line beginning with: GRUB_CMDLINE_LINUX, for example:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet net.ifnames=0 biosdevname=0"

Now you need to regenerate the GRUB configuration with the updated kernel parameters:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Now you need to change the ‘eno##” named network scripts you identified above:

# cp -p /etc/sysconfig/network-scripts/ifcfg-eno16780032 /etc/sysconfig/network-scripts/ifcfg-eth0

Next edit the newly copied network script to change any reference to the eno### to eth0, for example:

sed -i -e 's/eno16780032/eth0/g' /etc/sysconfig/network-scripts/ifcfg-eth0

Now reboot:

# shutdown -r now

After system reboot your network interface shall be called eth0 and all will be right in the world again…

Hat tip to Angelo for most of the leg work.

Apache Modules

Posted on November 15, 2016 by Saba, Mitch

I seem to always forget this command when I need it every 6-9 months, so here it is for my easy access:

List all the loaded modules in apache (both DSO and Static)

apachectl -t -D DUMP_MODULES

Using redhat-support-tool in 10 space

Posted on October 13, 2016 by Saba, Mitch

OK, Private IP space, but you should know that 10 space means private IP space.

The command redhat-support-tool is useful when working with a Red Hat support ticket. Once a ticket is opened with Red Hat your next step should be to create and attach an sosreport to the ticket. If you don’t then you will waste valuable time as their first response will be, you guessed it, please attach an sosreport. Even attaching one is no guarantee they won’t still ask as they follow the script pretty closely.

The 90% use case for using the command redhat-support-tool is adding attachments, like this:

redhat-support-tool addattachment -c CASE_NUMBER /tmp/sosreport.tar.xz

If you have not configured /root/redhat-support-tool/redhat-support-tool.conf you will be prompted for your RHN user name and password. Since I mentioned it please note that /root/redhat-support-tool contains your configuration file and a log file. Please note: that if you configure global setting (more on that below) those settings are stored in /etc/redhat-support-tool.conf

Back to Private IP space use. Supposedly you can configure this using the redhat-support-tool -> config option for example:

# redhat-support-tool
Command (? for help): config proxy_url proxy.your-url.domain

# redhat-support-tool
Command (? for help): config proxy_url http://proxy.your-url.domain

OR setting it globally (sets it to /etc/redhat-support-tool.conf)

# redhat-support-tool
Command (? for help): config -g proxy_url http://proxy.your-url.domain

This however doesn’t always work, here is why with an explanation, thanks to my colleague Doug B:

I figured out the redhat-support-tool issue.

– It’s always connecting to proxy via https, so you have to use “http://proxy.url.edu:80” in order to force it.
– It may conflict with an http_proxy environment variable.

Even unsetting the variable within the tool (with –unset proxy_url) didn’t seem to clear out an incorrect entry – even though nothing was in the config file!

In the end it’s easiest to just to export http_proxy=http://proxy.url.edu:80 and not modify anything within the support tool itself.

As you can see a frustrating problem, yes we could have just transferred the file and uploaded it using the webUI or from another system but what would we have learned from that?!

Again, thanks to Doug B. for working with me on this.

Here is a link (account required) to more details about the redhat-support-tool: https://access.redhat.com/articles/445443

yum Invalid System Credential error

Posted on September 30, 2016 by Saba, Mitch

I ran across the following yum error after migrating a system from being a client of Satellite 5.6 to Satellite 6.1. First here is the error:

# yum update
Loaded plugins: package_upload, priorities, rhnplugin, search-disabled-repos, security, subscription-manager
There was an error communicating with RHN.
RHN Satellite or RHN Classic support will be disabled.

Error Message:
    Please run rhn_register as root on this client
Error Class Code: 9
Error Class Info: Invalid System Credentials.
Explanation: 
     An error has occurred while processing your request. If this problem
     persists please enter a bug report at bugzilla.redhat.com.
     If you choose to submit the bug report, please be sure to include
     details of what you were trying to do when this error occurred and
     details on how to reproduce this problem.

Setting up Update Process
rhel-6-server-rpms                                                                                                                                                            | 2.0 kB     00:00     
rhel-6-server-satellite-tools-6.1-rpms                                                                                                                                        | 2.1 kB     00:00     
No Packages marked for Update

This left me scratching my head for a few and a quick search didn’t produce much so I thought I should document this for prosperity.

The problem was with the contents of the file /etc/yum/pluginconf.d/rhnplugin.conf

Part of my transition is running this command:

sed -i -e 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/rhnplugin.conf

The problem was unlike all of my other systems, this file must have been edited because instead of containing “enabled=1” it contained “enabled = 1”

To correct that I modified my sed command to ignore white space:

sed -i -e 's/enabled\s*=\s*1/enabled=0/g' /etc/yum/pluginconf.d/rhnplugin.conf

More details can be found using the yum.conf man page.

Hope that is helpful.

Working with Repositories

Posted on September 29, 2016 by Saba, Mitch

Pulling packages from multiple sources can lead to problems. If you are running rhel and have epel enabled an update could inadvertently pull down a newer version from the wrong repository. This doesn’t always cause a problem, but it can. If you need to tfind all the epel packages on your system, here is how you: List all packages installed from repo “X”

yum list installed | grep @epel

Kerberizing RHEL Server

Posted on June 13, 2016 by Saba, Mitch

Notes from Plone…

yum install krb5-workstation pam_krb5 -y

# if krb5.conf is present we should get a fresh copy

mv /etc/krb5.conf /etc/krb5.conf.bak

yum reinstall krb5-libs -y

sed -ie 's/example.com/uconn.edu/g' /etc/krb5.conf

sed -ie 's/EXAMPLE.COM/UCONN.EDU/g' /etc/krb5.conf

fqdn=`hostname --fqdn`;

echo "
ank -randkey host/$fqdn@UCONN.EDU
ktadd -k /etc/krb5.keytab host/$fqdn@UCONN.EDU
";

--- OR ---

kadmin netid/admin@UCONN.EDU
addprinc -randkey host/$fqdn
ktadd -k /etc/krb5.keytab host/$fqdn
modprinc -requires_preauth host/$fqdn

kadmin -p netid/admin@UCONN.EDU

exit

authconfig --enablekrb5 --updateall

echo "netid/admin@UCONN.EDU" >> ~/.k5login

restorecon ~/.k5login

chmod 600 .k5login

service sshd restart