Installing open-vm-tools deployPkg plug-in for Ubuntu Guest Operating Systems

If you are installing the open source implementation of VMware Tools ‘open-vm-tools’ into your guest operating system and require to use the virtual machine as a template or leverage Site Recovery Manager to customize virtual machines after failover, then there is a requirement to install the ‘deployPkg Tools’ plug-in.

The below details installing the plug-in on an Ubuntu operating system, however steps for other operating systems can be found here.

Firstly, we will need to obtain and import the VMware Packaging Public keys which can be downloaded from here and the files are required to be saved into a directory on the guest operating system.  For each key downloaded, we will import the key on successful completion you should receive the below notification:

sudo apt-key add /tmp/keys/VMWARE-PACKAGING-GPG-DSA-KEY.pub
OK
sudo apt-key add /tmp/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub
OK

We will now create the file ‘/etc/apt/sources.list.d/vmware-tools.list’ to add the below package repository and update the package index.

deb http://packages.vmware.com/packages/ubuntu precise main
sudo apt-get update

Once the package index has been updated we can invoke the following to install the ‘deployPKG’ plug-in. Once installed you should be able to customize your template or virtual machine for failover using Site Recovery Manager.

sudo apt-get install open-vm-tools-deploypkg

Installing Likewise Open on Ubuntu 14.04

In the release of Ubuntu 14.04 it would now appear that the likewise open package has been removed from the repository and there is no source package available.

However,  as mentioned at the following article http://www.tecmint.com/integrate-ubuntu-14-04-to-zentyal-pdc/ you can manually download and install the packages. I only followed the steps to download and install the likewise-open and libglade packages as I do not require the GUI package.

To manually download and install the required packages as above, invoke the following:

$ wget http://de.archive.ubuntu.com/ubuntu/pool/main/l/likewise-open/likewise-open_6.1.0.406-0ubuntu10_amd64.deb
$ wget http://de.archive.ubuntu.com/ubuntu/pool/main/libg/libglade2/libglade2-0_2.6.4-1ubuntu3_amd64.deb
$ sudo dpkg -i likewise-open_6.1.0.406-0ubuntu10_amd64.deb
$ sudo dpkg -i libglade2-0_2.6.4-1ubuntu3_amd64.deb

However, I received the following error, when attempting to install the libglade2-0:amd64 package:

dpkg: error processing package libglade2-0:amd64 (--install): dependency problems - leaving unconfigured
Errors were encountered while processing:libglade2-0:amd64

All I was required to do was to run ‘sudo apt-get -f install‘ to install any dependencies the libglade package required and following this I was able to invoke ‘domainjoin-cli‘ from the installed likewise open package.

Guest Customization of VM fails with “Error : Could not create file /etc/dhcp3/dhclient.conf!”

I was recently deploying VMs from a Ubuntu template using guest customisation, where guest customization fails and the IP address also fails to be updated with the following error:

An error occurred while customizing <VM>. For details, reference the log file /var/log/vmware-imc/toolsDeployPkg.log in the guest OS

On investigating the log file, the following error has been generated:

ERROR: Error : Could not create file /etc/dhcp3/dhclient.conf!

The cause of this issue is due to VMware Tools being unable to create a file in the /etc/dhcp3 directory as this does not exit.

In order to resolve the issue, you will need to create the directory by converting the template to a VM, making the below change and converting back to a template for deployment.

mkdir /etc/dhcp3

Integrating Google Authenticator PAM module with FreeRADIUS Server

I was recently investigating two factor authentication solutions to use with a Watchguard XTM appliance for mobile VPN solutions, to where I came across FreeRADIUS (http://freeradius.org/).

FreeRADIUS server is a daemon of a UNIX (like) operating system which allows for a radius protocol server to be setup.  FreeRADIUS is an open-source project and is developed by the user group “the FreeRADIUS project”.

FreeRADIUS provides support for a pluggable authentication module (PAM) library. Integrating this with Google Authenticator (https://code.google.com/p/google-authenticator/ ) which is a project to provide implementation of one-time passcode (OTP) generators for mobile platforms as well as PAM, will allow for a dual factor solution to be implemented.

The OTP is generated using open standards as developed by http://www.openauthentication.org/. The implementations support the HMAC-Based One-time passcode (HOTP) algorithm (https://tools.ietf.org/html/rfc4226) and the Time-base One-time Password (TOTP) algorithm (https://tools.ietf.org/html/rfc6238).

In order to install and configure the FreeRADIUS server and integrate with the Google Authenticator Pam Module Source, I performed the following steps:

1) Install FreeRADIUS and the required packages:

apt-get install build-essential libpam0g-dev freeradius git libqrencode3

2) Download the Google Authenticator Pam Module Source and build the executable program and libraries from source code.

git clone "https://code.google.com/p/google-authenticator/"
cd google-authenticator/libpam/
make
make install

3) FreeRADIUS is required to run as root in order to access the ‘.google_authenticator’ token in each home directory. This can be modified by editing ‘/etc/freeradius/radiusd.conf, to change the user and group to be root.

user = root
group = root

4)  In order to use the PAM libraries to authenticate users as the default rule, edit ‘/etc/freeradius/users’ to include the following:

DEFAULT        Auth-Type := PAM

5) In order to allow PAM authentication, edit /etc/freeradius/sites-enabled/default to uncomment the following:

#  Pluggable Authentication Modules.
pam

6) PAM is required to use the local Unix password combination with the Google Authenticator password, edit ‘/etc/pam.d/radiusd’ to include the following:

#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite pam_google_authenticator.so forward_pass
auth requisite pam_google_authenticator.so forward_pass

7) Restart the FreeRADIUS service to apply configuration changes:

service freeradius restart

8) Create a security group to use for RADIUS authentication:

groupadd <group>

As authentication is managed by a combination of the local Unix password and the Google Authenticator password, we will be required to create a user account on the local Unix operating system, create a password and add to the RADIUS security group by performing the following:

adduser <username>
usermod -a -G <group> <username>

Once the user account has been created and added to the security group we will be required to invoke the google-authenticator to generate the google_authenticator token:

cd /home/username
su username
google-authenticator

You will prompted to answer a number of questions in regards to your authentication token. Once completed a QR code and secret key will be created which will allow you to configure the authentication token on your device.

Do you want authentication tokens to be time-based (y/n) </b>_authenticator" file (y/n) 
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) 
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems
with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) </b>
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login
attempts every 30s. Do you want to enable rate-limiting (y/n) 

In order to rest authentication locally you can perform the following:

radtest <username> <unix password> <google authenticator token> localhost 18120 <secret key>

If you the above fails and you require to start FreeRadius in debug mode perform the following:

service freeradius stop
freeradius -XXX

Install MongoDB on Ubuntu

Firstly, import the MongoDB public GPG key to require that the that the package is signed by the distributor.  I also was required to enable outbound connections on TCP service port 34898 to communicate with the key server using the hkp protocol:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10

Now add the distribution for the package to the repository:

echo 'deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen' | sudo tee /etc/apt/sources.list.d/mongodb.list

Finally, reload the repository and install the package:

sudo apt-get update
sudo apt-get install mongodb-10gen

Install RabbitMQ Server On Ubuntu

Add the following entry to /etc/apt/sources.list to use the RabbitMQ repository:

deb http://www.rabbitmq.com/debian/ testing main

To remove warnings about unsigned packages add the RabbitMQ public key to the trusted key list:

wget http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
sudo apt-key add rabbitmq-signing-key-public.asc

Update the respoitories and install RabbitMQ:

sudo apt-get update
sudo apt-get install rabbitmq-server

To confirm the status of the RabbitMQ broker run the following:

sudo rabbitmqctl status

Nagios XI and Ubuntu returns ‘CHECK_NRPE: Received 0 bytes from daemon’.

When monitoring a remote Ubuntu server which Nagios XI I was receiving the below unknown message for the service status:

CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

Following investigation , I noticed the following entry in /var/log/syslog:

Nov 11 15:24:58 nrpe[7768]: Error: Request contained command arguments, but argument option is not enabled!
Nov 11 15:24:58 nrpe[7768]: Client request was invalid, bailing out...

In order to resolve this issue I had to modify the Nagios configuration file (/etc/nagios/nrpe.cfg)  on the remote server to allow command arguments:

dont_blame_nrpe = 1