ESP32-CAM (aithinker) and Shinobi camera recorder

Using the code in the previous post I can now place several ESP32’s around the house and stream them to my little server. Installed a debian vm, and added a 2TB SSD drive for storage.

It is streamed to an installation of Shinobi (the ninja way) which is fairly easy to install as root:

apt install curl
sh <(curl -s https://cdn.shinobi.video/installers/shinobi-install.sh)

See more Shinobi stuff here: https://shinobi.video/

Noteworthy settings to get an ESP32 working are:

Input Type MJPEG
Automatic No
Connection type HTTP
RTSP Transport Auto
Username <empty>
Password <empte>
Host 10.10.10.10 (your IP on your network here)
Port 81
Force Port Yes
Path /stream
Retry Connection 0
Skip Ping Yes

The rest is up to you, but this should get your ESP32 camera connected.

Note: The ESP32 can handle 1 connection at a time, so don’t open it in a webbrowser and try to add it there, it won’t work. Let Shinobi do the connection and you’ll be fine to watch it or record it there.

Shinobi is a fine piece of software.

Posted in News | Comments Off on ESP32-CAM (aithinker) and Shinobi camera recorder

ESP32-CAM (aithinker) module with stable camera

After reading a bit, I found a good write about it on:

I edited the standard cameraserver.ino and ended up with something that makes it run more stable.

This is just the “main” code, you still need to have the standard libraries that come with the example installed.

Features: Static IP, wifi connection, wifi connection checking, LED indicator, automatic reboot, internal watchdog (in case the system hangs) and logging details on serial out.

If the system really hangs and the internal watchdog doesn’t catch it, then you need an external watchdog that checks a signal on one of the pins and acts accordingly to this signal, e.g. a repeating signal on an interrupt or in loop(). Let this signal reset an external timer, if the timer is not reset, it will trigger power, or a reboot.

It is a lot of work for something that probably doesn’t happen, so I’m not sure if I will ever implement a hardware watchdog for this little system.

Have fun, there’s no copyright, just grab the code if you want.

Edit: 2024-oct-17: updated code
Edit: 2024-oct-20: updated code again, was hanging on first connect.
Edit: 2024-oct-20: added flashing LED 3 times before connecting and, when all went fine, flasing 3 more times when connected
Edit: 2024-nov-07: updated code, added internal watchdog

#include "esp_camera.h"
#include <esp_task_wdt.h>
#include <WiFi.h>

// Watchdog timeout in seconds
#define WDT_TIMEOUT_SEC 20

#define CAMERA_MODEL_AI_THINKER // Has PSRAM
#include "camera_pins.h"

// Enter your WiFi credentials
const char *ssid = "SSID"; // edit this
const char *password = "xxxxxxxxxxxxxxxxxxxxxx"; // edit this

unsigned long currentMillis;
unsigned long wakeup;
unsigned long last_wakeup;

void startCameraServer();
void setupLedFlash(int pin);

// Set your Static IP address
IPAddress local_IP(192, 168, 100, 247); // edit this

// Set your Gateway IP address
IPAddress gateway(192, 168, 100, 254); // edit this
IPAddress subnet(255, 255, 255, 0); // edit this
IPAddress primaryDNS(8, 8, 8, 8); // edit this
IPAddress secondaryDNS(1, 1, 1, 1); // edit this

// Define red LED
const int ledPin = 33;

void blinkLED(int pin, int times, int interval) {
  for (int i = 0; i < times; i++) {
    digitalWrite(pin, LOW);
    delay(interval);
    digitalWrite(pin, HIGH);
    delay(interval);
  }
}

void initializeWiFi() {
  if (!WiFi.config(local_IP, gateway, subnet, primaryDNS, secondaryDNS)) {
    Serial.println("** Static IP configuration failed. Rebooting...");
    ESP.restart();
  }
  WiFi.begin(ssid, password);
  WiFi.setSleep(false);
}

// Watchdog timer configuration
esp_task_wdt_config_t twdt_config = {
        .timeout_ms = 20000,      // 20s
        .idle_core_mask = 0,      // Mask for idle cores (0 means no specific core)        
        .trigger_panic = true     // If the watchdog times out, trigger a panic (reset)
};

void setup() {

  // Initialize the watchdog timer configuration
  esp_task_wdt_deinit(); //wdt is enabled by default, so we need to 'deinit' it first
  esp_task_wdt_init(&twdt_config); //enable panic so ESP32 restarts

  // Setup red LED
  pinMode(ledPin, OUTPUT);

  Serial.begin(115200);
  Serial.println("\n** Serial started, speed 115200.");  

  camera_config_t config;
  config.ledc_channel = LEDC_CHANNEL_0;
  config.ledc_timer = LEDC_TIMER_0;
  config.pin_d0 = Y2_GPIO_NUM;
  config.pin_d1 = Y3_GPIO_NUM;
  config.pin_d2 = Y4_GPIO_NUM;
  config.pin_d3 = Y5_GPIO_NUM;
  config.pin_d4 = Y6_GPIO_NUM;
  config.pin_d5 = Y7_GPIO_NUM;
  config.pin_d6 = Y8_GPIO_NUM;
  config.pin_d7 = Y9_GPIO_NUM;
  config.pin_xclk = XCLK_GPIO_NUM;
  config.pin_pclk = PCLK_GPIO_NUM;
  config.pin_vsync = VSYNC_GPIO_NUM;
  config.pin_href = HREF_GPIO_NUM;
  config.pin_sccb_sda = SIOD_GPIO_NUM;
  config.pin_sccb_scl = SIOC_GPIO_NUM;
  config.pin_pwdn = PWDN_GPIO_NUM;
  config.pin_reset = RESET_GPIO_NUM;
  config.xclk_freq_hz = 20000000;
  config.frame_size = FRAMESIZE_UXGA;
  config.pixel_format = PIXFORMAT_JPEG;  // for streaming
  config.grab_mode = CAMERA_GRAB_WHEN_EMPTY;
  config.fb_location = CAMERA_FB_IN_PSRAM;
  config.jpeg_quality = 12;
  config.fb_count = 1;

  // if PSRAM IC present, init with UXGA resolution and higher JPEG quality
  //                      for larger pre-allocated frame buffer.
  if (config.pixel_format == PIXFORMAT_JPEG) {
    if (psramFound()) {
      config.jpeg_quality = 10;
      config.fb_count = 2;
      config.grab_mode = CAMERA_GRAB_LATEST;
    } else {
      // Limit the frame size when PSRAM is not available
      config.frame_size = FRAMESIZE_SVGA;
      config.fb_location = CAMERA_FB_IN_DRAM;
    }
  } else {
    // Best option for face detection/recognition
    config.frame_size = FRAMESIZE_240X240;
  #if CONFIG_IDF_TARGET_ESP32S3
    config.fb_count = 2;
  #endif
  }

  #if defined(CAMERA_MODEL_ESP_EYE)
    pinMode(13, INPUT_PULLUP);
    pinMode(14, INPUT_PULLUP);
  #endif

  // camera init
  esp_err_t err = esp_camera_init(&config);
  if (err != ESP_OK) {
    Serial.printf("** Camera init failed with error 0x%x", err);
    ESP.restart();
    return;
  }

  sensor_t *s = esp_camera_sensor_get();
  // initial sensors are flipped vertically and colors are a bit saturated
  if (s->id.PID == OV3660_PID) {
    s->set_brightness(s, 1);   // up the brightness just a bit
    s->set_saturation(s, -2);  // lower the saturation
    s->set_framesize(s, FRAMESIZE_VGA); // 640x480
    s->set_hmirror(s, 1); // 0 = disable , 1 = enable -> Mirror correctly
    s->set_vflip(s, 1); // 0 = disable , 1 = enable -> Flip it back
  }
  
  // drop down frame size for higher initial frame rate
  if (config.pixel_format == PIXFORMAT_JPEG) {
    s->set_framesize(s, FRAMESIZE_VGA);
  }

  #if defined(CAMERA_MODEL_M5STACK_WIDE) || defined(CAMERA_MODEL_M5STACK_ESP32CAM)
    s->set_vflip(s, 1);
    s->set_hmirror(s, 1);
  #endif

  #if defined(CAMERA_MODEL_ESP32S3_EYE)
    s->set_vflip(s, 1);
  #endif

  // Setup LED FLash if LED pin is defined in camera_pins.h
  #if defined(LED_GPIO_NUM)
    setupLedFlash(LED_GPIO_NUM);
  #endif

  blinkLED(ledPin, 3, 1000);

  initializeWiFi();

  wakeup = millis();
  last_wakeup = wakeup;

  Serial.print("** Connecting to WiFi.");
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
    if (millis() - wakeup > 60000) {
      ESP.restart();
    }
  }

  Serial.println("\n** WiFi Connected");
  Serial.print("** Local IP ");
  Serial.println(WiFi.localIP());

  startCameraServer();
  Serial.println("** Camera server started.");

  // Watchdog, add the current task (i.e., the main loop) to Watchdog Timer
  esp_task_wdt_add(NULL);
  
  // Feed the dog in loop

}

void reconnectWiFi() {
  if (WiFi.status() != WL_CONNECTED) {
    Serial.println("** Reconnecting WiFi...");
    WiFi.disconnect();
    initializeWiFi();
    unsigned long startAttemptTime = millis();
    while (WiFi.status() != WL_CONNECTED && millis() - startAttemptTime < 8000) {
      delay(500);
      Serial.print(".");
    }

    if (WiFi.status() != WL_CONNECTED) {
      Serial.println("** WiFi reconnect failed, rebooting.");
      ESP.restart();
    } else {
      Serial.println("** WiFi reconnected successfully.");
    }
  }
}

void loop() {

  // Feed the watchdog timer at the beginning of each loop iteration
  esp_task_wdt_reset();

  wakeup = millis();

  if (wakeup - last_wakeup >= 60000) { // Check every minute
    Serial.println("** Probing WiFi connection...");
    digitalWrite(ledPin, LOW); // LED on
    delay(200);

    reconnectWiFi();

    last_wakeup = wakeup;
    digitalWrite(ledPin, HIGH); // LED off

  }

  // Print wifi strength
  int32_t rssi = WiFi.RSSI();  // Get the current RSSI
  Serial.print("WiFi Signal Strength: ");
  Serial.print(rssi);
  if (rssi > -50) {
    Serial.println(" (Excellent)");
  } else if (rssi > -60) {
    Serial.println(" (Good)");
  } else if (rssi > -70) {
    Serial.println(" (Fair)");
  } else {
    Serial.println(" (Weak)");
  }
  delay(1000); // Small delay to prevent excessive looping
}
Posted in arduino, News | Comments Off on ESP32-CAM (aithinker) module with stable camera

One letter file extensions on win11

Shame MS, couldn’t adjust it through Settings / Apps / Default Apps as you don’t allow one letter extensions there. -sigh-

So, Windows 11 does not allow you to adjust a one letter file extension.
This is annoying, I had to play around with FileTypesMan – Alternative to ‘File Types’ manager of Windows (nirsoft.net) to re-register .c and .h files that I like to view or edit with Notepad++ on windows.

When I messed about with the Nirsoft tool I could then double-click the .c and .h files an re-register them with one of my favorites apps.

Posted in News | Comments Off on One letter file extensions on win11

Add Azure AD user to local admin on a workstation

Add an azure AD user as local admin on a workstation:

cmd as admin

net localgroup administrators AzureAD\<username> /add

Admin rights required to do this, ofcourse, <username> is the upn address of the local user you want to add.

Posted in Active Directory, Azure | Comments Off on Add Azure AD user to local admin on a workstation

VEEAM Failed to process OneDrive

In VEEAM O365 Backup, I got the error:

:: Failed to process OneDrive: <Full Name> (https://xxxx-my.sharepoint.com/personal/<username>). The remote server returned an error: (401) Unauthorized.

Apparantly rights have not quite been set right on the onedrives over at this customer, so I added the service account that runs the back-up as site-admin using the script from Lieben.

https://www.lieben.nu/liebensraum/2015/08/setting-administrative-permissions-on-all-your-onedrive-for-business-accounts/

Hope this helps you.

Posted in OneDrive, VEEAM | Comments Off on VEEAM Failed to process OneDrive

No match was found for the specified search criteria for the provider ‘NuGet’

To solve the issue with nuget, open elevated powershell  (as admin), and perform the following command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The command does not give any reply.
This enables TLS1.2 which is probably required by now.

Try your nuget command again.

Hope this helps you. Have a great day.

 

Posted in nuget, powershell, TLS | Comments Off on No match was found for the specified search criteria for the provider ‘NuGet’

VMware 7.0 on Intel NUC with vusb0 – not yet fully working… :(

I wanted to see if I could install vmware 7.0 on my Intel NUC with unsupported onboard network nic, hence I will try vusb0.

Conclusion: Buggy. VMware runs, but creating a virtual machine is problematic.

 

02-10-2020 Edit:

VMware 7.0 works fine on a Model NUC10i7FNH,

I stopped investigating with vusb0, just replaced the machine.

 

What not worked was the rest I tried earlier…
==============================================================

First I created an install medium with powershell:

Import-Module VMware.VimAutomation.Core
 Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false
 [A]
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
 [A]
 Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
 Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-standard" -ExportToBundle -filepath ESXi-7.0.0-15843807-standard.zip -Force
 Remove-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
 New-EsxImageProfile -CloneProfile "ESXi-7.0.0-15843807-standard" -name "ESXi-7.0-IntelNUC" -Vendor "tinkerist.com"
 Set-EsxImageProfile -Name ESXi-7.0.0-15843807-IntelNUC -ImageProfile ESXi-7.0.0-15843807-IntelNUC -AcceptanceLevel CommunitySupported
 Add-EsxSoftwareDepot .\ESXi700-VMKUSB-NIC-FLING-34491022-component-15873236.zip, .\ESXi-7.0.0-15843807-standard.zip
 Add-EsxSoftwarePackage -ImageProfile ESXi-7.0.0-15843807-IntelNUC -SoftwarePackage vmkusb-nic-fling
 Export-ESXImageProfile -ImageProfile ESXi-7.0.0-15843807-IntelNUC -ExportToIso -filepath ./ESXi-7.0.0-15843807-IntelNUC.iso

Then, using this .iso, with Rufus 3.9 I made a bootable usb drive.

Installing vmware 7.0 using the USB Fling will result in a message that no network cards can be found and assigned or something along those lines.
I just didn’t complete the installation, just left it up to that point, removed the install media, and rebooted the machine.
VMware actually is then actually installed, but the setup has not assigned the network correctly so you will have to do that manually.

I noticed the specified root password was not saved, so it was empty, I set that using the console (after logging in with an empty password).

Then I configured the network settings manually, after enabling shell, on the console.

 esxcli network vswitch standard add --vswitch-name=vSwitch0
 esxcli network vswitch standard portgroup add --portgroup-name=Portgroup0 --vswitch-name=vSwitch0
 esxcli network vswitch standard uplink add --uplink-name=vusb0 --vswitch-name=vSwitch0
 esxcli network ip interface add --interface-name=vmk0 --portgroup-name=Portgroup0
 esxcli network ip interface ipv4 set --interface-name=vmk0 --ipv4=192.168.99.253 --netmask=255.255.255.0 --type=static

Adding, removing and configuring vSwitches and port groups can be done as stated here:
https://kb.vmware.com/s/article/1008127

I had to add this to /etc/rc.local.d/local/sh: (found this over at the vusb fling forum)

vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
 count=0
 while [[ $count -lt 20 && "${vusb0_status}" != "Up" ]]
 do
 sleep 10
 count=$(( $count + 1 ))
 vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
 done

if [ "${vusb0_status}" = "Up" ]; then
 esxcfg-vswitch -L vusb0 vSwitch0
 esxcfg-vswitch -M vusb0 -p "Management Network" vSwitch0
 esxcfg-vswitch -M vusb0 -p "VM Network" vSwitch0
 fi

This still resulted in a vmware that didn’t have the vusb0 marked as “Management” when the machine starts.
Tried a couple of things, no result. This means every boot you will have to go into the console and select vusb0 as worthy of “Management” before you can get to the web ui remotely.

This sucked, imho.

What even more sucked is the new virtual machine configuration that did not have a network selectable.

I added another portgroup to the same vSwitch, that caused a virtual machine config to able to have a selection of a network-setting.

But no actual network.

I am not done with this until it works.
OR when it takes too much time i’ll abandon this idea of having a vusb0 on vmware.

Cheers.

Posted in usb, VMware | Comments Off on VMware 7.0 on Intel NUC with vusb0 – not yet fully working… :(

VMware resize VMFS partition and datastore

Resize VMFS Partition ESXi

Also see https://kb.vmware.com/s/article/2002461

Get Datastore:

vmkfstools -P /vmfs/volumes/DATASTORE/

VMFS-6.82 (Raw Major Version: 24) file system spanning 1 partitions.
File system label (if any): DATASTORE
Mode: public
Capacity 1920118816768 (1831168 file blocks * 1048576), 813595361280 (775905 blocks) avail, max supported file size 70368744177664
Disk Block Size: 512/512/0
UUID: 5d6e2640-3368bb72-b4c4-8030e039ac8c
Partitions spanned (on "lvm"):
 naa.600508b1001xxxxxxxxxxxxxxxxxxxxx:1
Is Native Snapshot Capable: NO

Get Disk:

partedUtil get "/vmfs/devices/disks/naa.600508b1001xxxxxxxxxxxxxxxxxxxxx"

583666 255 63 9376594600
1 2048 3750635520 0 0

First row is disk geometry
Second row, fields are: partition number, starting sector, ending sector, type, attribute
[etc.]

Get Sectors available:
partedUtil getUsableSectors "/vmfs/devices/disks/naa.600508b1001xxxxxxxxxxxxxxxxxxxxx"

34 9376594566

Resize the partition:

partedUtil resize "/vmfs/devices/disks/naa.600508b1001xxxxxxxxxxxxxxxxxxxxx" 1 2048 9376594566

partedUtil cmd disk partition start-sector end-sector

Fix the GPT:

partedUtil fixGpt "/vmfs/devices/disks/naa.600508b1001xxxxxxxxxxxxxxxxxxxxx"

FixGpt tries to fix any problems detected in GPT table.
Please ensure that you don't run this on any RDM (Raw Device Mapping) disk.
Are you sure you want to continue (Y/N): Y
gpt
583666 255 63 9376594600
1 2048 9376594566 AA31E02A400F11DB9590000C2911D1B8 vmfs 0

 

Done.

 

Hope this helps you.

cheers.

Posted in ESXi, partedUtil, partition, VMFS, vmkfstools, VMware | Comments Off on VMware resize VMFS partition and datastore

What I noticed about VMware 6.7 and hpssacli vs ssacli

The HP tooling for use with HP Raid controllers on the ESX cli was called hpssacli.

It resided somewhere in in /opt/hp…

It is now /opt/smartstorageadmin/ssacli/bin/ssacli

Hope this helps you 🙂

Posted in hp, hpssacli, ssacli, VMware | Comments Off on What I noticed about VMware 6.7 and hpssacli vs ssacli

Fortigate – Recognise Active Directory Users, Windows Server 2019

Reading through some googled stuff and one youtube vid to find out how it works.

Log on with your Fortigate account at
https://support.fortinet.com/Download/FirmwareImages.aspx

Yes you should have an account to get to the firmwares and downloads.

(edit: Click tab Download, Select Fortigate, then browse to / FortiGate/ v5.00/ 5.4/ 5.4.0/ FSSO/  and click “HTTPS”, not checksum )

Get the file “FSSO_Setup_5.0.0287_x64.exe”  at the Download tab.

At the moment this is the latest version.

I set up a service account in AD first and used that info when running the installer.
(You are asked to provide domain user credentials, it believe it must be a user that can at least read the security logs)

I installed the agent with default settings.

I finished the installer on my fresh DC (it being a windows server 2019).

Be sure to set a password for communications between the agent and the Fortigate.

You have to tweak the firewall to let the traffic of this FSSO client through to the Fortigate. Port 8000, 8001, 8002.

Next you configure a Fortinet Single Sign-On Agent in the “Security Fabric/Fabric Connectors” of your Fortigate.

These two should talk to each other now.

Considerations for the Agent:

  • You may increase the log file settings to 50Mb or instead of the default 10 Mb.
  • Click Show Monitored DC’s and then click “Select DC to Monitor” and select all your DC’s for polling
  • You can add a group filter, or add an ignore list to reduce traffic

Next you need to add a group in the Fortigate User & Device / User Groups

Select Create New, Select FSSO at the type of group.

When you want to add users to this group you can select and AD user, e.g. Domain Users

Now you can recognise AD users using this group, let them through to internet in a policy, etc.

Hope this helps you.

 

Posted in News | Comments Off on Fortigate – Recognise Active Directory Users, Windows Server 2019

Working with Windows Active Direcory, transferring FSMO roles from one DC to another.

Today I had to move the fsmo-roles, and phase out an old DC.
These days you can powershell it.

Since you are working with Active Directory, log in as an admin user, fire up powershell and a do a:

Import-Module ActiveDirectory

Get the roles with:

Get-ADDomain | Select-Object InfrastructureMaster,PDCEmulator,RIDMaster | Format-List
Get-ADForest | Select-Object DomainNamingMaster,SchemaMaster | Format-List

Move the roles with:

Move-ADDirectoryServerOperationMasterRole -OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Identity DC01

Then get the roles again to see if they moved.

Done.

It’s not everyday I have to do this, so I had to look it up myself.
The three mega-important commands displayed here for my and perhaps your convience.

You may sometimes even forget these roles exist, but without them, the domain would break.

Hope this helps you,

Cheers.

Posted in Active Directory, fsmo, powershell | Comments Off on Working with Windows Active Direcory, transferring FSMO roles from one DC to another.

userAccountControl, Attributes for AD Users

I needed this today for use in querying a large AD.

Repost. Credits go to http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

 

you can query with this e.g. with powershell and do some counting:

(Get-ADUser -LDAPFilter “(&(sAMAccountName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))” -SearchBase ‘OU=Users,DC=domain,DC=local’ ).Count

But could also check if password has been set to never expire, etc.

Attributes for AD Users : userAccountControl

The Active Directory attribute userAccountControl contains a range of flags which define some important basic properties of a user object. These flags can also be used to request or change the status of an account.

userAccountControl

 

LDAP name userAccountControl
Data type Integer (DWORD – 4 Bytes)
Multivalue (Array) No
System Flags 0x12
Search Flags 0x19
In Global Catalog? Yes
Attribute ID 1.2.840.113556.1.4.8
AD DB attribute name User-Account-Control
ADSI datatype 7 – Integer
LDAP syntax 1.3.6.1.4.1.1466.115.121.1.27 – Integer
Used in … > W2K
Schema Info Microsoft – MSDN

 

In addition to the mere attribute specification in the schema docu, there are two important websites which explain the meaning of the different userAccountControl flags:

MSDN: Open Specifications – [MS-ADTS] – 2.2.15 – userAccountControl Bits

MSDN: Open Specifications – [MS-SAMR] – 3.1.1.8.10 – userAccountControl

Here are the single flags, you find some annotations afterwards:

 

Flag value (binary) (decimal)
0000000000000000000000000000000x 1  Reserved, the value must always be 0
00000000000000000000000000000010 2  UF_ACCOUNT_DISABLE
00000000000000000000000000000×00 4   Reserved, the value must always be 0
00000000000000000000000000001000 8  UF_HOMEDIR_REQUIRED
00000000000000000000000000010000 16  UF_LOCKOUT
00000000000000000000000000100000 32  UF_PASSWD_NOTREQD
00000000000000000000000001000000 64  UF_PASSWD_CANT_CHANGE
00000000000000000000000010000000 128  UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
00000000000000000000000×00000000 256  Reserved, the value must always be 0
00000000000000000000001000000000 512  UF_NORMAL_ACCOUNT
000000000000000000000×0000000000 1024  Reserved, the value must always be 0
00000000000000000000100000000000 2048  UF_INTERDOMAIN_TRUST_ACCOUNT
00000000000000000001000000000000 4096  UF_WORKSTATION_TRUST_ACCOUNT
00000000000000000010000000000000 8192 UF_SERVER_TRUST_ACCOUNT
00000000000000000×00000000000000 16384  Reserved, the value must always be 0
0000000000000000×000000000000000 32768  Reserved, the value must always be 0
00000000000000010000000000000000 65536  UF_DONT_EXPIRE_PASSWD
00000000000000100000000000000000 131072  UF_MNS_LOGON_ACCOUNT
00000000000001000000000000000000 262144  UF_SMARTCARD_REQUIRED
00000000000010000000000000000000 524288  UF_TRUSTED_FOR_DELEGATION
00000000000100000000000000000000 1048576  UF_NOT_DELEGATED
00000000001000000000000000000000 2097152  UF_USE_DES_KEY_ONLY
00000000010000000000000000000000 4194304  UF_DONT_REQUIRE_PREAUTH
00000000100000000000000000000000 8388608  UF_PASSWORD_EXPIRED
00000001000000000000000000000000 16777216  UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
00000010000000000000000000000000 33554432  UF_NO_AUTH_DATA_REQUIRED
00000100000000000000000000000000 67108864  UF_PARTIAL_SECRETS_ACCOUNT
0000×000000000000000000000000000 134217728  Reserved, the value must always be 0
000×0000000000000000000000000000 268435456  Reserved, the value must always be 0
00×00000000000000000000000000000 536870912  Reserved, the value must always be 0
0x000000000000000000000000000000 1073741824  Reserved, the value must always be 0
x0000000000000000000000000000000 2147483648  Reserved, the value must always be 0

 

If there are several flags set for a certain account, you just have to add the decimal values of these flags to get the according value of the userAccountControl attribute. Some Examples:

 

Normal User Account
00000000000000000000001000000000 512  UF_NORMAL_ACCOUNT
Total  512

 


 

Disabled User
00000000000000000000000000000010 2  UF_ACCOUNT_DISABLE
00000000000000000000001000000000 512  UF_NORMAL_ACCOUNT
Total  514

 


 

User whose password never expires
00000000000000000000001000000000 512  UF_NORMAL_ACCOUNT
00000000000000010000000000000000 65536 UF_DONT_EXPIRE_PASSWD
Total  66048

 

To set or erase bits in the userAccountControl attribute, this is what you could do:

 

Const ADS_UF_ACCOUNT_DISABLE = 2 Const ADS_UF_HOMEDIR_REQUIRED = 8 Const ADS_UF_LOCKOUT = 16 Const ADS_UF_PASSWD_NOTREQD = 32 Const ADS_UF_PASSWD_CANT_CHANGE = 64 Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128 Const ADS_UF_NORMAL_ACCOUNT = 512 Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096 Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192 Const ADS_UF_DONT_EXPIRE_PASSWD = 65536 Const ADS_UF_MNS_LOGON_ACCOUNT = 131072 Const ADS_UF_SMARTCARD_REQUIRED = 262144 Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288 Const ADS_UF_NOT_DELEGATED = 1048576 Const ADS_UF_USE_DES_KEY_ONLY = 2097152 Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304 Const ADS_UF_PASSWORD_EXPIRED = 8388608 Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216 Const ADS_UF_NO_AUTH_DATA_REQUIRED = 33554432 Const ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864 Set obj = GetObject(“LDAP://cn=philipp,ou=user,dc=cerrotorre,dc=de”) ‘The user is disabled (set flag bit): obj.userAccountControl = obj.userAccountControl or ADS_UF_ACCOUNT_DISABLE obj.SetInfo ‘The user is enabled (remove flag bit): obj.userAccountControl = obj.userAccountControl xor ADS_UF_ACCOUNT_DISABLE obj.SetInfo

If you are searching for users with specific userAccountControl properties (in an LDAP search operation), you need special LDAP filters to limit the search to the accounts which have set or not set certain bits in this value:

 

Const ADS_UF_ACCOUNT_DISABLE = 2 Const ADS_UF_PASSWD_NOTREQD = 32 Const ADS_UF_DONT_EXPIRE_PASSWD = 65536 ‘All accounts which are disabled ‘ => ADS_UF_ACCOUNT_DISABLE = 2 ‘ => ldapFilter = “(userAccountControl:1.2.840.113556.1.4.803:=2)” ‘All accounts which are NOT disabled: ‘ => ADS_UF_ACCOUNT_DISABLE = 2 ‘ => ldapFilter = “(!(userAccountControl:1.2.840.113556.1.4.803:=2))” ‘All accounts which do not need a password OR whose passwords never expire: ‘ => ADS_UF_PASSWD_NOTREQD And ADS_UF_DONT_EXPIRE_PASSWD = 32 + 65536 = 65568 ‘ => ldapFilter = “(userAccountControl:1.2.840.113556.1.4.804:=65568)” ‘All accounts which do not need a password AND whose passwords never expire: ‘ => ADS_UF_PASSWD_NOTREQD And ADS_UF_ACCOUNT_DISABLE = 32 + 2 = 34 ‘ => ldapFilter = “(userAccountControl:1.2.840.113556.1.4.803:=34)”

UF_ACCOUNT_DISABLE ( 2 )

If this userAccountControl bit is set, the regarding user account is disabled and cannot authenticate to the domain any more. Please do not confuse this with the Intruder Lockout mechanism which locks out a user if he enter a wrong password to often in too short a time.

Disabled users and locked users

If you want to enable a disabled user by deleting the UF_ACOUNT_DISABLE flag, this will only succeed if its password complies with the current password policies. If blank passwords are prohibited in your environment and the disabled user has no password (for example because it was just created), it can not be activated: There will be a runtime error (-2147016651: LDAP_UNWILLING_TO_PERFORM). If a user can be activated in such cases, despite an empty password, then maybe the userAccountControl flag UF_DONT_EXPIRE_PASSWD is set …

UF_HOMEDIR_REQUIRED ( 8 )

If this userAccountControl bit is set, there must be the directory property ‘home drive’ set for the regarding account => the LDAP attribute homeDirectory must exist. That’s the theory. In practice, this bit may be set without the system returning a mistake, even when there is no home drive configured for the regarding user.

UF_LOCKOUT ( 16 )

Caution: This bit does not work as expected!

This userAccountControl bit is supposed to indicate that the user is locked by the Intruder Lockout mechanism (the lock can only be triggered by the system itself). But this is just a leftover from Windows NT times. For Active Directory users, this bit is NEVER set for locked users – if you want to know whether an account is locked, you should use the attribute lockoutTime:

‘Unlocking a user account: Set user = GetObject(“LDAP://cn=sandra,ou=user,dc=cerrotorre,dc=de”) user.lockoutTime = 0 user.SetInfo

You can search locked accounts with this LDAP filter:

‘All accounts which are locked: ‘ => ldapFilter = “(&(objectClass=user)(lockoutTime>=0))”

If you are currently connected with a user object via LDAP, you can also examine the attribute msDS-User-Account-Control-Computed. In contrast to the userAccountControl, this shows you in the UF_LOCKOUT whether an account is actually deleted. However, it is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

UF_PASSWD_NOTREQD ( 32 )

If this userAccountControl bit is set, the user is not subject to a possibly existing policy regarding the length of password. So he can have a shorter password than it is required or it may even have no password at all, even if empty passwords are not allowed. This property is not visible in the normal GUI tools (Active Directory Users and Copmputers)!

UF_PASSWD_CANT_CHANGE ( 64 )

Caution: This bit does not work as expected!

This flag is supposed to indicate that the password for that account can not be changed by the account itself. Yet nothing happens if you set the bit (However, there will be no runtime error returned… only the value of the bit remains unchanged). If you want to really make sure that the password may not be modified, you have to deny the extended right ‘Change Password’ for the account itself and each other user.

Prevent password changes

In the access control list, this deny entry is set for the ‘SELF’ trustee also. If you want to change the permissions with a batch script, you can achieve this with two DSACLS commands:

REM Prevent password change
DSACLS “cn=PhilippFoeckeler,dc=selfadsi,dc=org” /D Everyone:CA;”Change Password”

REM Allow password change
DSACLS “cn=PhilippFoeckeler,dc=selfadsi,dc=org” /G Everyone:CA;”Change Password”
DSACLS “cn=PhilippFoeckeler,dc=selfadsi,dc=org” /G SELF:CA;”Change Password”

By the way: A password change is not the same as a password reset. Of course an administrator can perform in that particular case still a password reset.

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED ( 128 )

If this bit is set, the password for this user stored encrypted in the directory – but in a reversible form. As the term reversible already implies: In principle, you could also say that with this setting,the password of the user can be read with the appropriate permissions (=> security gap!!).

You need the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag when an application needs to know the passwords of the users to authenticate them. This is for example the case when you want/have to use RAS (Remote Access) with the old CHAP Authentication, or if you want to use IIS Digest Authentication embedded in an Active Directory environment.

Normally, passwords are stored as irreversible hash values in the AD database. So you should NEVER use this option unless it is absolutely necessary.

Activation of the option "Store password in reversible encryption"

UF_NORMAL_ACCOUNT ( 512 )

This bit indicates that this is a normal user account. To distinguish this type of account from other types is necessary because not only user objects have a userAccountControl attribute, but also computer objects and others representing domain controllers or trust relationships.

UF_INTERDOMAIN_TRUST_ACCOUNT ( 2048 )

This userAccountControl bit indicates that this is an account which represents a trust connection to an external domain. Normally, the name of the account is the NetBIOS name of the domain with a ‘$’ at the end. This flag should never be set for a user account.

UF_WORKSTATION_TRUST_ACCOUNT ( 4096 )

This user account control bit indicates that this is a machine account of an ordinary computer or member server in the domain. This flag should never be set for a user account.

UF_SERVER_TRUST_ACCOUNT ( 8192 )

This bit indicates that this is a domain controller account. This flag should never be set for a user account.

UF_DONT_EXPIRE_PASSWD ( 65536 )

Is this userAccountControl bit is set, the user is not subject to an existing policy regarding a forced password change interval: The password of this account never expires.

UF_MNS_LOGON_ACCOUNT ( 131072 )

This bit indicates that this is a Majority Node Set (MNS) account, such account are required for the operation of cluster nodes for Windows Server 2003 (and newer), in which the quorum data is not stored on a shared media drive. This flag should never be set for a user account.

UF_SMARTCARD_REQUIRED ( 262144 )

This bit shows that for the regarding account only a smartcard authentication is allowed for interactive logon to the domain. Other authentication mechanisms are not allowed. If this flag is set, the password of this account never expires (he doesn’t use his domain password when loging on with the smartcard …).

UF_TRUSTED_FOR_DELEGATION ( 524288 )

This userAccountControl bit indicates that this is an account that can be used for Windows services – and in the way that the service takes on temporarily the identity of a user who are using this services. This is for example the case when the Server service has the same rights on the local disk as the user who is just accessing a shared network drive. We call this process also Impersonation.

UF_NOT_DELEGATED ( 1048576 )

This bit indicates that this is an account for which a service may NOT impersonate the identity (sort of the reverse situation to UF_TRUSTED_FOR_DELEGATION bit).

UF_USE_DES_KEY_ONLY ( 2097152 )

This bit indicates that in the Kerberos authentication of the account ONLY the algorithm DES (Data Encryption Standard) may be used for the generation of tickets. This should only be set for accounts which don’t use a Windows machine to log on to the domain (Windows will always have at least DES and RC4 available).

Actually, this shouldn’t play a big role anymore, because DES is now considered no more as the best algorithm. Since Vista and Windows Server 2008, there is the much more modern AES (Advanced Encryption Standard) algorithm for Kerberos authentication to a domain controller available. For signaling which algorithms are supported for authentication of a specific account, there is now the modern attribute msDS-SupportedEncryptionTypes available. This is used to negotiate the settings between client and domain controller regarding the encryption algorithms.

UF_DONT_REQUIRE_PREAUTH ( 4194304 )

This bit indicates that there is no so-called pre-authentication necessary for Kerberos authentication of the account. This is only for older Kerberos client important, which need to login to the domain from foreign systems and which does not support Kerberos pre-authentication. For accounts that log on from a Windows machine, or just for machine accounts of Windows domain members, this flag flag should NEVER be set, for the pre-authentication prevents certain types of dictionary attacks on the Kerberos login.

UF_PASSWORD_EXPIRED ( 8388608 )

Caution: This bit does not work as expected!

Normally, this user account control bit is supposed to indicate that the user’s password is expired. However, it is not set by the system when the password actually expires, nor can you force the user to change his password at the next logon by setting this bit.

If you really want to know whether the password of an account has expired or not, you can examine the attribute msDS-User-Account-Control-Computed, this is in contrast to the userAccountControl a good indicator for password expiration in the UF_LOCKOUT bit. However, this is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

If you want to force expiration of a password, just set user attribute pwdLastSet to -1.

It’s getting even more complicated if you want to know exactly when a password will expire. This must be calculated with the maxPwdAge attribute of the domain and the pwdLastSet attribute of the account. These are Microsoft Integer8 values that require quite an effort in handling. In Windows 2008, a new LDAP attribute is added, which saves the calculation: msDS-UserPasswordExpiryTimeComputed. This is also constructed attribute so that it cannot be used in LDAP searches nor in an LDAP filter. Take caution when calculating the expiration time AD environments with Windows Server 2008 and newer: There could be so-called Fine Grained Password Policies active.

UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION ( 16777216 )

This bit indicates that the regarding user can request a Kerberos ticket on behalf of another user. This is necessary in rare cases for service accounts, which require so-called S4U2 self-service tickets from the domain controller. This includes the spoofing of identity and goes far beyond normal impersonation, which is sometimes important for running services. For this reason you should set this flag only if it is really necessary.

UF_NO_AUTH_DATA_REQUIRED ( 33554432 )

This bit indicates that the regarding account can request a ticket in the Kerberos ticketing process without sending the so-called Privilege Attribute Certificate (PAC) data. The PAC data structure is a Microsoft-specific Kerberos extension and contains information about the security ID of the user and the groups in which it is member. This bit is only relevant if the account in question logs in from a foreign non-Windows machine at the domain and it does not support PAC.

UF_PARTIAL_SECRETS_ACCOUNT ( 67108864 )

This bit indicates that this is a ReadOnly domain controller account. These machines accounts always include the UF_WORKSTATION_TRUST_ACCOUNT also. This flag should never be set for a user account.

 

Hope this repost helps. credits to http://www.selfadsi.org

Posted in Active Directory, ldap | Comments Off on userAccountControl, Attributes for AD Users

Sonos controller app for Windows, download link

It was somewhat hard to locate, so here is the link to the windows (10) download for the Sonos Controller:

https://www.sonos.com/redir/controller_software_pc

Cheers

Posted in Microsoft, Sonos, Win10, Windows | Comments Off on Sonos controller app for Windows, download link

HP 2530-24G (J9773A) OID’s for CRC ERR

For my own documentation purposes, here are a bunch of OID’s for SNMP monitoring on a HP 2530-24G managed switch.

I needed to monitor each port for errors.

Apparantly the errors can be obtained using an OID for each port:

CRC ERR IN

.1.3.6.1.2.1.2.2.1.14.1 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.2 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.3 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.4 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.5 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.6 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.7 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.8 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.9 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.10 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.11 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.12 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.13 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.14 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.15 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.16 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.17 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.18 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.19 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.20 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.21 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.22 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.23 = COUNTER32
.1.3.6.1.2.1.2.2.1.14.24 = COUNTER32

CRC ERR OUT

.1.3.6.1.2.1.2.2.1.20.1 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.2 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.3 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.4 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.5 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.6 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.7 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.8 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.9 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.10 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.11 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.12 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.13 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.14 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.15 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.16 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.17 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.18 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.19 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.20 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.21 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.22 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.23 = COUNTER32
.1.3.6.1.2.1.2.2.1.20.24 = COUNTER32

I left out the ports for the modules, but they are .25 .26 .27 and .28

I recon that for the 48-port version of this switch the list is just a bit longer 🙂
I’ll add some more stuff here if I encounter more stuff to know about this kind of switch, as I work a lot with HP.

 

Posted in hp, snmp, switch | Tagged | Comments Off on HP 2530-24G (J9773A) OID’s for CRC ERR

Powershell connect to Azure

I needed this today to quickly find a solution as to why a virtual machine was not running, and had to retrieve some info about an application that runs a script.

Start powershell as admin

Set-ExecutionPolicy Unrestricted -force
Install-Module AzureRM

Answer Yes on NuGet. By the way, executionpolicy is not entirely safe, I know, but it works for me right now, because I needed to fix something in the way of.. right now.
You may want to specify differently.

Import-Module AzureRM
Connect-AzureRmAccount

Enter your Azure credentials.

to test the connection, this should return some tenant info:

Get-AzureRmTenant
Get-AzureRmContext

 

By the way, if you want to do something with AzureAD, you may need to do a

Connect-AzureAD

Enter your credentials again, and then do what you want to do, e.g:

Get-AzureADApplication
Get-AzureADContact
Get-AzureADDevice
Get-AzureADGroup

 

etc.

Hope this helps you!

Posted in Azure, powershell | Comments Off on Powershell connect to Azure

Ubiquity EdgeRouter Lite on “Telfort” glass fiber VLAN config and configure VLAN masquerading rules

So, here is my EdgeRouter config, edited a little for security reasons.

I hope this may help you.

Cheers!

 

Short description:

I use glass fiber from my ISP “Telfort” which uses VLAN 34 on eth1.34 (eth1 vif 34, using dhcp from the ISP, even though they always give me the same IP).
This is how my ISP works, so I have to live with that and set it up this way.

This means I do not use eth1 itself, which has been set to nothing, but is not disabled.

I do not use IPv6.

I am not using interface eth2.

I have my home lan on eth0 and my dirty wifi for IoT and guests on eth0.111 (VLAN111)

To add the nat masquerading rules for a new interface, e.g. eth0.111, log in as admin on the CLI and type:

configure

and then add something like (rule 5010, may be 5011, or something, at least not a rule number that you have already in use.)

set service nat rule 5010 description "VLAN NAT for 192.168.111.0/24"
set service nat rule 5010 outbound-interface eth1.34
set service nat rule 5010 type source
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.111.0/24
set service nat rule 5010 type masquerade

Anyway, here is my config. you may want to  change YOUR-ISP-GATEWAY to the ip-address of the next hop, usually known as gateway, of your ISP.

firewall {
 all-ping enable
 broadcast-ping disable
 conntrack-expect-table-size 4096
 conntrack-hash-size 4096
 conntrack-table-size 32768
 conntrack-tcp-loose enable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
 default-action drop
 description "WAN to internal"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "WAN to router"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
}
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 address 192.168.100.254/24
 duplex auto
 speed auto
 vif 111 {
 address 192.168.111.254/24
 description "DIRTY WIFI"
 mtu 1500
 }
 }
 ethernet eth1 {
 description "eth1 - not in use"
 duplex auto
 mtu 1512
 speed auto
 vif 34 {
 address dhcp
 description "eth1.34 - telfort"
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 mtu 1508
 }
 }
 ethernet eth2 {
 disable
 duplex auto
 speed auto
 }
 loopback lo {
 }
}
protocols {
 static {
 route 0.0.0.0/0 {
 next-hop YOUR-ISP-GATEWAY {
 }
 }
 }
}
service {
 dhcp-server {
 disabled false
 shared-network-name LAN {
 authoritative disable
 subnet 192.168.100.0/24 {
 default-router 192.168.100.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name home.lan
 lease 86400
 start 192.168.100.150 {
 stop 192.168.100.250
 }
 }
 }
 shared-network-name VLAN111 {
 authoritative disable
 subnet 192.168.111.0/24 {
 default-router 192.168.111.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name guest.wifi
 lease 86400
 start 192.168.111.150 {
 stop 192.168.111.250
 }
 }
 }
 }
 gui {
 https-port 443
 }
 nat {
 rule 5009 {
 description "Telfort Internet masq LAN"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.100.0/24
 }
 type masquerade
 }
 rule 5010 {
 description "Telfort Internet masq DIRTY"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.111.0/24
 }
 type masquerade
 }
 }
 ssh {
 port 22
 protocol-version v2
 }
 upnp {
 listen-on eth0 {
 outbound-interface eth1.34
 }
 }
}
system {
 domain-name home.lan
 host-name gateway
 ipv6 {
 disable
 }
 login {
 user admin {
 authentication {
 encrypted-password ****************
 plaintext-password ****************
 }
 full-name Someone
 level admin
 }
 }
 name-server 208.67.222.222
 name-server 8.8.8.8
 name-server 8.8.4.4
 ntp {
 server nl.pool.ntp.org {
 }
 }
 options {
 reboot-on-panic true
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone Europe/Amsterdam
}
Posted in cli, Configuration, EdgeRouter, VLAN, wifi | Comments Off on Ubiquity EdgeRouter Lite on “Telfort” glass fiber VLAN config and configure VLAN masquerading rules

Use a Sonicwall directly on Telfort glass fiber VLAN using a virtual interface.

With the glass fiber in my home I got a louzy ethernet router from my isp Telfort.

Ofcourse I understand they want to keep things affordable for everyone so they hand out these routers free (free as in you lease them) with the connection that you order.

The -feeling- I have is that this thing is slow and/or lags. I haven’t exactly measured it, so it will stay a feeling.

Today I connected an older Sonicwall that I had laying around to play with to my home connection, and in my humble opinion it is a slightly better performing option for my home internet (100 Mbps).

In order to do this with this specific ISP, you have to create a Virtual interface on your main WAN interface, in my case X1.
Connect the ethernet cable that comes out of your fiber box to that X1 interface as well.

Now create a virtual interface (in Networking you can find this option) and apply the following settings:

Zone WAN
VLAN tag is 34 (-> ISP specific)
Parent interface X1
IP Assignment DHCP
Host name <empty>
Comment  <Up to you>
Management and user login <is up to you>

This should get you going with a Sonicwall on your home.lan with Telfort fiber (in the Netherlands).

Perhaps this could help you too configure a Sonicwall with externally incoming VLANS (as internet connection?). Maybe you don’t use DHCP, but set it static, anyhows…

Hope this helps you,

cheers.

 

 

Posted in News | Comments Off on Use a Sonicwall directly on Telfort glass fiber VLAN using a virtual interface.

mstsc credSSP error and client reg fix

CredSSP and mstsc authentication gives some error sometimes, after installing some needed updates, but e.g. youir server is not yet up to date.

You can set back a reg entry… this one:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

On the client, save it to a file with .reg extension, as tekst, and double click add to registry, you may need some rights for this.

You can now use mstsc again to your unpatched server, for a while.

Hope this helps.

Posted in credssp, fix, mstsc, News, registry | Comments Off on mstsc credSSP error and client reg fix

Exchange 2010 removing active sync devices, as removing devices hangs for the user in OWA.

Hiyall,

Today at an old server for a customer, a user wanted to finally add one last active sync device, but he already had some listed. Time to remove some, he thought, as he can do this through ye olde owa page. But that process seemed to hang.

Hence the question came to me.

We all love powershell, so we first get a list of the devices this user uses, with this command:

Get-ActiveSyncDevice -Mailbox USER |select Identity, DeviceOS, DeviceType, DeviceModel, Name

Where USER is the alias for the mailbox.

You can then use the cmd Remove-ActiveSyncDevice to remove the device on -Identity, such as:

Remove-ActiveSyncDevice -Identity "domain/org/users/Username and Lastname/ExchangeActiveSyncDevices/phone§%some%number%" -Confirm:$false

Repeated this for all his excess devices, problem solved.

Note that “-Confirm:$false” is not the same as “-Confirm $true”. It can be a little confusing as times. Note the “:”

Hope this may help you,
Cheers!

Posted in Exchange 2010 | Tagged , | Comments Off on Exchange 2010 removing active sync devices, as removing devices hangs for the user in OWA.

Local Exchange Management [power]Shell target info

This is the ‘target’ of a locally installed MS Exchange Management [power]Shell.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'D:\Exchange\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto -ClientApplication:ManagementShell "

(witih exchange installed on D-drive locally)

Just FYI, I needed this today.

cheers.

Posted in News | Comments Off on Local Exchange Management [power]Shell target info

Convert wav to wav from 8bit to 16bit with ffmpeg cmdline for 3cx from NEC SV8100

Today I had to convert audio messages from a NEC pbx to the format a 3cx pbx uses.
These are the digital audio intro messages etc. that you get when you call e.g. the main telephone number of a company.

They were in the wrong format, and in such state, 3cx does not eat it.
From the NEC we got 8 bit 1 channel (mono) PCM files.
3CX accepts only 16 bit one channel (mono) PCM. Sample rate on both is 8k.

Don’t we love ffmpeg. Fixed!
I have an virus-unchecked exe for windows here if you like, just remove extension .file after download 🙂

Next cmd will fix this: welkcome123.wav was the audio file retrieved from the NEC SV8100.

ffmpeg -i welcome123.wav -acodec pcm_s16le -ac 1 -ar 8000 welcome123-16b.wav

See, it made the file approx twice the size 🙂
Not strange when you make 8 bits into 16 bits….

Input #0, wav, from 'welcome123.wav':
 Duration: 00:00:12.29, bitrate: 64 kb/s
 Stream #0:0: Audio: pcm_alaw ([6][0][0][0] / 0x0006), 8000 Hz, mono, s16, 64 kb/s
Output #0, wav, to 'welcome123-16b.wav':
 Metadata:
 ISFT : Lavf57.51.100
 Stream #0:0: Audio: pcm_s16le ([1][0][0][0] / 0x0001), 8000 Hz, mono, s16, 128 kb/s
 Metadata:
 encoder : Lavc57.58.100 pcm_s16le
Stream mapping:
 Stream #0:0 -> #0:0 (pcm_alaw (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
size= 192kB time=00:00:12.28 bitrate= 128.1kbits/s speed=7.52e+003x
video:0kB audio:192kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.039681%

NEC manual here if you like to see how that works.

I hope it may help you as well. Maybe not. who knows.
Have fun!

 

Posted in 16bit pcm, 3cx, 8bit pcm, ffmpeg | Tagged | Comments Off on Convert wav to wav from 8bit to 16bit with ffmpeg cmdline for 3cx from NEC SV8100

Turning on Windows Defender after manual deinstallation of Trend Micro

After a manual deinstallation of Trend Micro Worry Free Business Security 9.0,
Windows Defender did not automatically see that it could turn on its antivirus component.

Done as prescribed here: https://success.trendmicro.com/solution/1056867-manually-uninstalling-the-security-agent-sa-in-worry-free-business-security-wfbs#collapseOne

It took me a while to find this solution, so here is a repost.

Found at https://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/error-577-when-i-attempt-to-turn-on-windows/4bf7ef42-7a50-4fe3-88ce-9f13cc2ab0f5

  1. Press Win key + R. This will open Run.
  2. Type “regedit” and hit enter.
  3. Navigate to these keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
  4. Change value of ‘DisableAntiSpyware’ and ‘DisableAntiVirus’ from ‘0’ to ‘1’.
  5. After changing the values go to ‘C:\Program Files\Windows Defender’ and open ‘MSASCui.exe’ file.

If the gui is already open, close it first and then relaunch using MSASCui.exe.

Hope this helps you!

Posted in Defender, Trend Micro, Windows | Comments Off on Turning on Windows Defender after manual deinstallation of Trend Micro

HP Accesspoints and blinking LEDS

Here’s a list of blinking leds on HP MSM accesspoints and HP 425 accesspoint.

I was tired of looking it up all the time, and since these are end-of-life I may well copy that information from HP to my site for my own purposes, and perhaps for yours too.

MSM Access Points

Controlled mode

Power light blinks every two seconds.
The AP is starting up.

Power light blinks once per second.
The AP is looking for an IP address, or building the list of VLANs on which to perform discovery. The management tool is available until discovery occurs.

Power, Ethernet, and Radio lights blink in sequence from left to right.
The AP has obtained an IP address and is attempting to discover a controller.

Power light is on. Ethernet and Radio lights blink alternately.
The AP has found a controller and is attempting to establish a secure management tunnel with it.

Power and Ethernet lights blink alternately and quickly. Radio lights are off.
The AP has received a discovery reply from two or more controllers with the same priority setting. It is unable to connect with either controller until the conflict is resolved.

Power and Radio lights blink slowly.
The AP is attempting to establish a local mesh link to a master node.

Power and Ethernet lights blink slowly.
The AP is attempting to establish wired connectivity.

All three blinking together rapidly
The AP is in TFTP mode. This is a disaster recovery mode, and not used in normal operation. To put AP back to normal mode restore it to factory default settings. If this does not restore normal operation, contact Technical Support.


Autonomous mode

Power Off
The AP has no power.

Power Blinking
The AP is starting up. If the Power light continues to blink after several minutes, it indicates that the software failed to load. Reset or power cycle the AP. If this condition persists, contact HP support.

Power On
The AP is fully operational.

Ethernet Off
The port is not connected or there is no activity.

Ethernet Blinking
The port is transmitting or receiving data.

Radio Blinking
The radio is transmitting or receiving data.

All three
Blinking together rapidly
The AP is in TFTP mode. This is a disaster recovery mode, and not used in normal operation. 
To put AP back to normal mode restore it to factory default settings. 
If this does not restore normal operation, contact Technical Support.
HP 425

Green Flashing
1 flash/sec. The AP is booting.

Fading in/out At least one client is connected to the 2.4 GHz radio.

Blue Flashing 2 flashes/sec.
The AP is updating its system software image.

Blue Flashing 2 sec. on / 2 sec. off
The AP is booted and is registered to the controller. There is no client connected.

Blue Fading in/out At least one client is connected to the 5 GHz radio.

Orange On for more than 20 sec. 
An initialization exception has occurred.

Orange Flashing 1 flash/sec. 
There is a problem with the radio module.

Orange Flashing 2 flashes/sec.
Both radios are disabled or the Ethernet port is disabled while no local mesh peer exists.

Green/Blue Alternately fading green and blue
Clients are connected to both the 2.4 GHz and 5 GHz radios.

 

Hope this helps you.

Posted in Access Point, hp, led, wifi | Comments Off on HP Accesspoints and blinking LEDS

Retrieve MS-SQL version info without MS SQL Studio

After digging around for a customer to update their ms-sql server for an application, I had to find out the version they were using first.

Not having the Visual studio tools installed, there’s a cmdline tool that can do this.

As an authorative user, such as Administrator, in this case, I had to go to

C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn>

(you can already see the ‘100’ that says something about the version, it can be something else, like 80, 90, etc)

Then type

SQLCMD -S server\instance

Where server is your server and instance the instance you want to connect to

You can also do

SQLCMD -L

to see a list.

Then, at >1 you can type a command, at >2 type ‘go’ to execute it.

Such as:

1> select @@version
2> go

That gives something like this:

Microsoft SQL Server 2008 R2 (SP1) – 10.50.2500.0 (Intel X86)
Jun 17 2011 00:57:23
Copyright (c) Microsoft Corporation
Express Edition on Windows NT 6.2 <X64> (Build 9200: ) (WOW64) (Hypervisor)

Or type:

1> select serverproperty('EditionID')
2> go
  • -1253826760 = Desktop
  • -1592396055 = Express
  • -1534726760 = Standard
  • 1333529388 = Workgroup
  • 1804890536 = Enterprise
  • -323382091 = Personal
  • -2117995310 = Developer
  • 610778273 = Enterprise Evaluation
  • 1044790755 = Windows Embedded SQL
  • 4161255391 = Express with Advanced Services

Or type:

1> select serverproperty('Edition')
2> go

Which in my case said “Express Edition”

Hope this helps you!

Have fun!

 

Posted in Microsoft, MS SQL | Comments Off on Retrieve MS-SQL version info without MS SQL Studio

Exchange, Disable spam filter for a receive connector

You may want to disable the spam filter for e.g. a connector that sends your invoices.

Get-ReceiveConnector "SERVER\ReceiveConnector" | Add-ADPermission 
-User "NT Authority\Anonymous Logon" 
-AccessRights ExtendedRight -ExtendedRights ms-exch-ypass-anti-spam

Hope this helps you!

 

Posted in E-mail, Exchange 2016, smtp | Comments Off on Exchange, Disable spam filter for a receive connector