I am no longer adding stuff to this page - i now post to https://www.saumgm.com/ instead - and will migrate some of the info here that might still be useful

Stokkeland Stuff to Remember

This page was created just to keep notes for myself - things to remembers - some of it is old and irrelevant now, and perhaps some pieces even wrong...

Windows get UUID

wmic csproduct get UUID

Mount file system over ssh

There are ways to do with windows, I just use it between linux systems - ubuntu 16 specifically in this example, shouldnt vary much.
Target File System on  bob@serverremote - no need to do anything on this system directly as long as it has ssh deamon
On your local system where you want to mount stuff from target:
Install sshfs package from your favorite distro - on ubuntu/debian do
apt install sshfs
if you havent already - create ssh id keys:  
If you havent already, copy the ssh id to target machine, so that you can ssh without password:
ssh-copy-id bob@serverremote
Create a directory to mount in
mkdir /home/esmaralda/mnt/serverremote
Finally execute the mount command
sshfs -o allow_other,IdentityFile=~/.ssh/id_rsa bob@serverremote:/ /home/esmaralda/mnt/serverremote

Ubuntu/Linux bridging to sniff /packet capture within a vmware host

Not the best heading - the scenario is I was troubleshooting some data passing through an F5 BigIP LTM (Virtual Applicance), so I wanted to set up something to do packet sniffing as well as firewalling/packet-interception transparantly on both sides.

This is easy enough, just needed to have a VM with 4 extra nic's, 2 on each bridge, a couple isolated vswitches - problem was I couldnt get it to pass traffic.. if I assigned a local ip it worked fine, but any packets to go across didnt -  it took me nearly an hour to figure it out therefore I figured I would post it here.

The fix - enable promiscous mode Accept on all port groups (or vswitches) connected to a bridge. The default vmware/esx setting is to reject it - have to change that to accept, otherwise the bridge never see's the traffic.

A couple people asked me of the bridge setup for ubuntu/debian - that info is all ove rthe internet, but anyway, here is my /etc/network/interfaces on a VM with 5 nics.

auto lo
iface lo inet loopback

# vm management/console
auto eth0
iface eth0 inet static

iface eth1 inet manual
iface eth2 inet manual
iface eth3 inet manual
iface eth4 inet manual

auto br0
iface br0 inet manual
  bridge_ports eth1 eth2

auto br1
iface br1 inet manual
  bridge_ports eth3 eth4

and dont forget 

apt-get install bridge-utils ebtables

Ubuntu/Linux KVM virtualization Windows 7 Guest - virt-install and virsh

General virsh stuff
  • list running vm: virsh list
  • virsh list --all
  • kill running vm:  virsh destroy vmname
  • remove vm: virsh undefine vmname
Create a windows 7 vm, note the video, it may be needed, especially if vm boot gets stuck on "Starting windows..."
virt-install -n vmname -r 4096 \
  -c /path/to/media/iso/windows_7.iso \
  --disk path=/path/to/vm/vmname.sysvol \
  --vcpus 4 \
  --video=cirrus \
  --network bridge=br0 \
  --os-type windows --os-variant win7 --accelerate --noautoconsole \
  --vnc --vnclisten=
This assumes you want to use a file for disk, and of course you need to create vmname.sysvol with fallocate or something first, you need the windows 7 boot media iso. Connect to your host system with vnc (the original tightvnc viewer 1.3 works fine,  newer RealVNC viewer crashes), if you only have one vm you vnc to  ip like   but port may increment as you add vms.

vIM / gvIM - quickly fixing line endings dos/unix/mac CR LF

This is from http://vim.wikia.com/wiki/File_format which has all the details, for me it is usually about getting it from Mac or Linux to Dos/Win, or sometimes from Dos to Linux

Make it dos (CRLF):

  • :update
  • :e ++ff=dos

Make it Unix (LF):

  • :update
  • :e ++ff=unix

OpenSSL Stuff

Check out https://www.sslshopper.com/article-most-common-openssl-commands.html

Get PEM from pfx/p12

openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

Create P12 from PEM

openssl pkcs12 -export -in mycertandbundle.pem -inkey my.key -out mycertbundle.p12

Tomcat / Java keystore - import key and cert (SSL)

battling with tomcat and certificates - Godaddy G2 SHA2 certificate specifically causes headaches
The information at http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x is/was wrong
You can find your intermediates at https://certs.godaddy.com/anonymous/repository.pki
From Godaddy download the tomcat bundle (this gives you the correct file) - the cert file itself in this example is named mycert.crt and the private key 
is just named my.key, the new keystore generated is mytomcat.keystore.
This was amended October 2016 - found the minimum/correct way basically. (No need for aliased entries)
Overview is
- Have your key, cert and intermediary files on PEM format
- Put root and intermediate certs all in one file (gd_bundle-g2-g1.crt is godaddy's for g1/g2 cross, sha2)
- Add your own issues cert to the bottom of the same file
- Create a P12 file from that
- Create a keystore file from the p12
cat gd_bundle-g2-g1.crt > mycertandbundle.pem
cat mycert.crt >> mycertandbundle.pem
openssl pkcs12 -export -in mycertandbundle.pem -inkey my.key -out mycertbundle.p12
keytool -importkeystore -destkeystore mytomcat.keystore -srckeystore mycertbundle.p12 -srcstoretype PKCS12
Now your keystore should be fully usable.
Some tomcats seems to require an alias named tomcat, such as Atlassian Bitbucket,
to add an alias to a default import, default alias is 1 so do this:
keytool --changealias -alias 1 -destalias "tomcat" -keystore my.keystore
keytool -list -v -keystore my.jeystore -alias tomcat

Citrix Netscaler certs need DER

If you try import certs to a netscaler and it keeps telling you the private key is wrong chances are you need to convert your PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der
openssl rsa -outform der -in key.pem -out key.der

Linux Misc things

Quickly get contents of a web page to stdout:  wget -q -O - http://url


extend root file system by adding partition to group 

This was done on ubuntu (14) but should apply to most modern Linuxes I would think.
  • figure out your setup with  vgdisplay / pvdisplay / lvdisplay
  • sda was partitioned  - sda5 was the /
  • Added a disk in the hypervisor - it showed up as sdb (reboot or refresh)
  • used fdisk to partition the new drive
    • fdisk /dev/sdb
    • n : add new, primary,1, start to finish (all defaults)
    • t : change type to Linux LVM (8e)
    • w : write and exit
  • pvcreate /dev/sdb1
  • vgextend volumegroup-name /dev/sdb1
  • lvextend -l +100%FREE /dev/volumegroup-name/root
  • resize2fs /dev/volumegroup-name/root
extend a file system by upsizing the partition, then extend pv, then lv
This was on Ubunut 16, probably similar on most systems. I was adding space to a partition of a VM, /dev/sdb2, which was part of a logical volume.
This was all done without a reboot - I dont know if it would work on a root file system, I dont think i would chance that without some QA.
This is simplified writeup
  • df -h
  • parted /dev/sdb
  • print
  • resizepart 2
    • Enter size/end - I find this part tricky, I did it at end of disk and simply put in the disk size as shown in print above. 247GB in my case (Would be easier if it showed you by cylinder or something, and suggested the last available in free space).
  • print
  • quit
  • pvdisplay
  • pvresize /dev/sdb2
  • pvdisplay
  • lvdisplay
  • lvresize -l +100%FREE /dev/volumegroupname/logicalvolumename (For some reason tab completion does not work here)
  • lvdisplay
  • resize2fs /dev/volumegroupname/logicalvolumename
  • df -h

Ubuntu quick everything Samba Share

This is completely unsafe and a very bad thing to do - should never be used for anything on any production or internet or network facing system. I use this myself in development, when I spin up a new box to do some testing for a bit, the box to be thrown out later. If you do this to a system that could be exposed to anything, your system will be taken over/compromised within milliseconds, so be warned, DO NOT DO THIS!
The details are likely more than needed, just what I did and now copy paste when i need it.
sudo apt-get install samba
edit /etc/samba/smb.conf
in GLOBAL add
   netbios name = something
   load printers = no
   printing = bsd
   printcap name = /dev/null
   socket options = TCP_NODELAY
posssibly add this if you are brave
  wins server = n.n.n.n
change to
  unix password sync = no
Delete any sections other than global (such as printerstuff
add your new section(s), somehting like this
       path = /my/share/loc
        read only = No
        guest ok = Yes
        create mask = 0644
        force user = root

Ubuntu 16 LTS - Samba Domain Member File Server
But that page went away, so I found https://www.server-world.info/en/note?os=Ubuntu_16.04&p=samba&f=3  but just in case that also goes away - here are the steps:

sudo apt-get install winbind libpam-winbind libnss-winbind krb5-config 
Some places say you should get a prompt for realm info - I did not, i think it picked stuff up from DHCP and DNS in my environment - if you do just put in CAPITALDOMAIN.NAME for realm and dnsdomain.name for Kerberos and Admin servers

My /etc/krb5.conf file ended up like the after I cleaned it up, or if you didnt get any prompt just do this - replace MYDOMAIN.LOCAL with whatever YOURLOCALREALM.DOMAIN is

    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    default_realm = MYDOMAIN.LOCAL
    ticket_lifetime = 24h
    forwardable = yes

    pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false

edit /etc/nsswitch.conf and add windbind to passwd, group, and shadow - file ended up like this:
passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Join system to domain with this command:
net ads join -U username
where username is an admin in the domain with rights to join computer objects. Then restart winbind
service restart winbind

Edit /etc/samba/smb.conf - mine looks like this (change the MYDOMAIN to match your short domain name, and MYDOMAIN.LOCAL to match your realm domain - change the file_share_users to a group in your domain of which users should have access)
    workgroup = MYDOMAIN
    server string =
    security = ads
    realm = MYDOMAIN.LOCAL
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
    use sendfile = true

    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-99999
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes

    restrict anonymous = 2
    log file = /var/log/samba/log.%m
    max log size = 50

#============================ Share Definitions ==============================

    comment = Domain Users Cand do stuff here
    path = /var/export/fileshare
    read only = no
    force group = "file_share_users"
    directory mask = 0770
    force directory mode = 0770
    create mask = 0660
    force create mode = 0660

Then restart samba - or just restart the server. Make sure the file system location has rights for this group as well.

If you want to allow ssh/console logins - probably wanna do this to create dirs and set default shell:
- sudo pam-auth-update   and check to create home dirs
- add these lines to the global section of smb.conf
winbind nss info = template
template homedir = /home/%D/%U
template shell = /bin/bash
- restart samba or system

Ubuntu 12.04 LTS  Samba and SSH AD Integrated Domain Member (Likewise-Open) - outdated - see Ubuntu 16 notes above instead

This is not the solution, but just a few notes, I had a hell of time with it, so here are some pointers - as of 10/31/2013

This list may not be what exactly is needed - its a list how I got it to work, minus all the failed attempts

  • Samba 4 package is VERY badly broken - seems like it is meant to be only a DC, and not a member - installs fail anyway, I stick with Samba 3
  • Ubuntu Package for Likewise-Open is broken, the samba-interop-install does not work
  • install samba (3.6) from ubuntu package
  • install likewise-open from BeyondTrust, download the debian package script and run it with defaults
  • Edit your smb.conf to match domain stuff, you do NOT need all the crap mentioned in various places, here is mine:

 workgroup = MYDOMAIN
 server string = %h server
 wins server =
 dns proxy = no
 log file = /var/log/samba/log.%m
 syslog = 0
 max log size = 1000
 panic action = /usr/share/samba/panic-action %d
 security = ADS
 encrypt passwords = true
 passdb backend = tdbsam
 obey pam restrictions = no
 unix password sync = yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 pam password change = yes
 map to guest = bad user
 usershare allow guests = yes
 machine password timeout = 0

    comment = My Share
    path = /path/to/share
    browsable = yes
    guest ok = no
    read only = no
    valid users = @MYDOMAIN\adGroupName

  • Restart nmbd and smbd
  • do
      domainjoin-cli MYDOMAIN.LOCAL yourdomainusername
      lw-ad-cache --delete-all
      samba-interop-install --install
  • Reboot
  • Should work now, for SSH and for Samba.
  • One thing to watch for, from another windows domain member, try  \\\share  instead of machine name -  I still havent solved that part of it.. pls email me if you know wtf is causing that stokkeland overat gmail.com

Server 2008 (2008r2 and probably 2012 as well) - File Permission Crap

If you're a sysadmin on wintendo you probably experienced this - while on Server 2003 and older, permissions where pretty straight forward, set and forget..  well, server 2008 and UAC crap srewed that up - it doesnt help to add Domain Admins or local admins, you still have to "force" your way in.. 

I dont know the exact reason, I know it is related to UAC and ability to use the Domain Admins group - so, the fix is to just create your own Domain group, call it "FileServerAdmins" or something, add the domain admin accounts to it, now add this  group to the volume security with full permissions, and as long as your directories inherit you should now be doing a lot better.

Bill Gates doesnt seem to have any usable best practices out there so I made my own, perhaps there are reasons this is bad, but I dont know them yet.

A newly attached volume comes with the ability for domain users (via  sysname\Users) to create and add junk right from the root - wtf kind of security principle is this? so here is what I do:

  • Edit Volume permissions
    • Change CREATOR OWNER, Remove: Full Control, Change Permissions, Change Ownership
    • Change SYSNAME\Users, Remove EVERYTHING except: Read permissions
    • Add your File Server Admin Group with Full Control

  • Add a directory to share
  • Change Share Permissions to Everyone Full Control
  • Change Security Permissions - Add users and groups that need access (NEVER remove inheritance, anywhere - if you have to do that you designed your directory structure wrong).
    • Read Only Users Only get: Traverse/Exec, List/Read, Read Attrib, Read Ext Attrib, Read permissions
    • Read Write Users get everything except: Full Control, Change Permissions, Take Ownership

  • Use DFS (well, thats just what I do)

If you use the above security settings from the getko, no-one but admins can change permissions and screw things up, and your file server admins can get into folders without clicking the "continue" button (and waiting for hours if the structure is large)..

SSH Key Exchange Debian and derivatives

on your client:  
    ssh-copy-id user@otherhost

where other host is the target you want to authenticate to without pass phrase

Adobe Acrobat

I dont know what versions I used before, possibly 7 or 8 - which I could do stuff just fine, add text boxes, remove the stupid box around it, the background fill, and change the text color.. well, I started doing it on version X, or 10 as sane people would call it, and not you can't with menu or right-click, which is VERY annoying and sucky.

Anyway, do to that, highlight the text (not the object, just the text), then hit Ctrl+E, now you can change text color and size and such...

OpenSSL commands for SSL Certs (RSA/X509) 

.pem files are typically one with both key and cert in it.

Generate Private Key (skip -des3 for unsecured key)

  openssl genrsa -des3 -out keyfile 1024


Generate CSR, (Common name is domain name!) 

  openssl req -new -key keyfile -out csrfile 


Generate self signed cert

 openssl x509 -req -days 360 -in csrtfile -signkey keyfile -out certfile 


Remove encryption from a key

  openssl rsa -in keyfile 


Verify that  a Cert and Key has the same modulus

  openssl x509 -noout -modulus -in certfile | openssl md5

  openssl rsa -noout -modulus -in keyfile | openssl md5

Need to use a key/cert on IIS? for whatever reason Bill Gates makes this hard - here is how I did it on IIS7:
 Export as pkcs12 cert:  openssl pkcs12  -export -in hoyt.dom.cert -inkey hoyt.dom.key -out hoyt.dom.p12
 You can set a password if you like when it asks, probably a good idea
 transfer the p12 file to a Bill Gates machine, in IIS7, click on the server name (root of tree) on left, and then server-certificates on the right, import cert - now you can choose this cert under bindings for the web site object.

Create your own CA and sign a request (issue cert) - e.g. for Dell iDrac cert issuance

Create the CA, this is of course against any best practices, and makes it completely insecure, so never do this or use this for anything. I put the CA key and cert in a separate folder, and reference it when signing CSR's.
(To create a CA for real, see the openssl.org web site and info, you dont want to do this i have here in production or for anything that really needs to be secure). The common name for the CA cert must NOT be the same as a domain name or something you will need a cert for, I used   "mydomain.com CA"  for my cn.

Create the CA key:  openssl genrsa -out ca.key 4096
Create the CA cert: openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

It is VERY important that each cert issued gets a unique (to the CA) serial, I recommend using openssl and sequence file for that, as in the example below

To sign a request (issue a cert), you now need a CSR from somewhere else, e.g. in Dell iDrac use the web utility to generate a csr, save that file as e.g.  myhost.csr - then do this

    openssl x509 -req -days 365 -in myhost.csr  -out myhost.crt
        -CA /path/CA/ca.crt -CAkey /path/CA/ca.key -CAcreateserial -CAserial /path/CA/myhost.seq 

The .seq file is your serial sequence. Now if you happen to try upload this .crt file to an iDrac 6 - it may say upload failed, but it may have worked anyway (as long as you had just done a CSR, each new one you have to do a CSR in the gui, Michael Dell is almost as retarted as Bill Gates and Steve ballmer)- give it some time, reload your interface and check what issuer the cert has - I really think it sucks what firefox (v8 and beyond, now v15) did with ssl checks (Error code: sec_error_reused_issuer_and_serial) and Dell iDrac not having any self-sign onboard option, I have been having a hell of time getting to flush the old certs in firefox, and it doesnt tell you which f'n one it is - doing this crap above fixed it for me...

Networking OSPF / CISCO ++

On a Router (and perhaps switch?) - to enable Console messages (syslog) on a telnet or ssh session:    terminal monitor

As they say in the cisco world - the Light is Not Off


*nix Tips and Tricks

FIxing ^M in files to correct format (with only Newline)

Bill Gates Systems, use vi :   %s/^M//g 

To get the ^M in there hit CTRL+V then enter

From Macintosh and Fruity Crap

cat badfile | tr '\015' '\012' > newfile

CVS diff of all changes between tagged revisions:  cvs diff -N -c -r START-TAG -r END-TAG

Quickly create a empty file

A lot of instruction will tell you to use dd, which works, but it is slow - the advantage of course is that you get all blockes zeroed out or whatever - but if you just need a large file as a disk image for a vm or something, use fallocate:

  fallocate -l 15G mydisk.img

Disk and Partition Images

If backing up a physical with the hopes of quickly throwing the image on a VM or other physical device, ALWAYS back up the entire disk as well as the individual partitions. if disk with errors add  conv=noerror
dd if=/dev/sda  of=/some/place/disk.img
dd if=/dev/sda1  of=/some/place/part1.img

To loop mount a partition in an image, first get the offset and bytes per sector info
fdisk -lu disk.img
your offset will be bytes per sector times start sector.
echo $((512*38))
mount -o loop,offset=19456 disk.img targetdir

Match All Files Except (apache htaccess)

 I spent some time looking for this and others did to, since there is no "negative string match" in regex its tricky, I did eventually find a trick here, its about limiting access to all files except some or one.

 AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName "Staff"
AuthType Basic

<Files "*">
require valid-user
<Files "filename">
Allow from all
Satisfy any



Towing Beer cans behind a boat or canoe

 As I was preparing myself mentally for this years yagottaregatta  I was also working on a way to safely string beer cans to keep cool in the water behind the canoe. Searching for this revealed little to nothing, so I figured I will improvise and figure out a method. Unfortunately I did not take pictures of my work, but it turned out pretty well; Use the constrictor knot around each can, and a 3 inch piece of duct tape, not over the knot but on the other side just to prevent slipping... you can find tons of web pages showing how the constrictor knot is done, it holds up really well and is easy to tie even if you are hooking it on without the ends.... good luck! :)


Older Stuff probably not very useful anymore (Original Stuff to Remember)

 personal link http://jts.fyi