I need to login into 50 hosts and perform a specific task.
Each host has one of 2 passwords (ex: pass1 and pass2) for a specific user (ex: foo).
I do not know on which host "foo" is set with "pass1" and on which host "foo" is set with "pass2". I have both passwords in a vault file.
Using Ansible, how can I first make a task where I try to login as "foo" with "pass1", then if unsuccessful login with "pass2" and finally setting a fact with the correct vault value (depending on which password worked i.e. "foo" managed to login).
I then want to use that fact to perform additional tasks on that same host.
I am trying to craft a command that would run against all of my Windows machines to check if the "Audit Distribution Group Management" audit policy setting is set to "Success and Failure". I would only like to apply this check to Domain Controller servers and for any other server type to echo out something like "NoCheckRequired", is this possible?
I tried to create an if-else statement on PowerShell for this, but it was not successful.
I tried to use the "wmic.exe ComputerSystem get DomainRole" command to find out the type of machine, values 4 / 5 mean DC server from my understanding, and using an IF statement, I tried to match those values and check if the group policy audit settings were set and for any other values returned other than 4 / 5
wmic.exe ComputerSystem get DomainRole outputs the property name on a separate line before outputting the actual value, so comparing to the number 4 (as an example) will not work.
Instead, use the Get-CimInstance cmdlet:
$CS = Get-CimInstance Win32_ComputerSystem
if($CS.DomainRole -in 4,5){
# We're on a Domain Controller
}
elseif($CS.DomainRole -in 1,3) {
# We're on a Domain member
}
else {
# We're on a workgroup machine
}
Get-ADComputer -Filter 'primarygroupid -eq "516"'
Will filter the Domain controller
i try to monitor values with nagios over snmp from my two audiocodes SBCs (M500L).
For these i download two MIBs "AC-ALARM-MIB" + "IP-MIB_rfc4293" from https://github.com/librenms/librenms/tree/master/mibs/audiocodes rename it to .txt at the end and upload it to my ubuntu server in path /usr/share/snmp/mibs/.
Then i try to use the following command in command line.
snmpget -v3 -l authPriv -u xxxxxx -a SHA -A xxxxx -x AES -X xxxxx 123.456.789.100 AcAlarm:acActiveAlarmName
and i get the following output
AcAlarm::acActiveAlarmName = No Such Instance currently exists at this OID
I try to find out the OID from these in MIB Browser - seems like it is " .1.3.6.1.4.1.5003.11.1.1.1.1.5". When i use these OID i get same output.
Anyone has an idea?
SNMP treats all values as being entries in some database. OIDs are used to identify entries in this conceptual database. MIB files allow an SNMP manager to translate OIDs into a human-readable string, with an accompanying textual description.
The issue here is not that the MIB files are bad, or the OIDs are wrong, the problem is that, either the devices that hold this (imaginary) database do not support the entries you are trying to access, or that your user is not authorized to access those entries. A simple way to find out what OIDs are supported would be to do a full walk of the database, using something like snmpwalk <hostname> 1.3.6.1
I have a user in my workplace domain, I want to add him to a specific domain group then assign him some privileges on a specific folder.
I wonder how this can be done using command line or a more automated process than doing it step by step as I do this quite often.
I'm using AD on Windows 10
Looks like dsmod group can be used but I don't know how.
If I have a user with username userh01 in domain mydom how I can add him automatically to group mydomgroup1?
I've tried this command:
dsmod group "mydomgroup1" -addmbr "userh01"
but I get this error
dsmod failed:Value for 'Target object for this command' has incorrect format.
Any advice?
Maybe using powershell to add memeber to a domain group is an alternative way.
here below th script for example
Add-ADGroupMember -Identity "Groupmane" -Memebers "Username to add"
Add-ADGroupMember -Identity "mymdomgroup1" -Memebers "userh01"
ps:you may need to import active diretory modul. before using Add-ADGroupMeber parameter use this command 'Import-Module ActiveDirectory' at begining
for different syntax and detailed description to add-adgroupmember parameter follow this link
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617210(v=technet.10)
I have a MIB object with read-write permission. MIB section looks like this:
EnableHalt OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION "implemented in NetSnmpcodsMr.c file."
DEFVAL { 0 }
::= { Scalars 4 }
When I do a set on this object I get:
$ sudo snmpset -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0 i 1
Error in packet.
Reason: noAccess
Failed object: NET-SNMP-MIB::netSnmp.2.2.4.0
When I do a get:
$ snmpget -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0
NET-SNMP-MIB::netSnmp.2.2.4.0 = INTEGER: 1
All is fine!
In snmpd.conf I added the line:
rwcommunity public localhost
Still noAccess issue. I'm using net snmp 5.4.2.1 on Ubuntu
What am I doing wrong? Please advice Thanks Gil
It's nine months since you asked this but in case it's helpful...
Is your community string correct? You specified it as "public", which is the default read-only community string. Perhaps it should be "private" instead, which is the default read-write community string.
try:
snmpget -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0 NET-SNMP-MIB::netSnmp.2.2.4.0
Gil,
If that object is read-only, then you probably will receive notWritable instead of noAccess.
http://www.tcpipguide.com/free/t_SNMPVersion2SNMPv2MessageFormats-5.htm
So I think it is still a Net-SNMP configuration issue and you can post to Net-SNMP mail list or check out the archive,
http://www.net-snmp.org/support/contacts.html
modify the snmpd.conf file, add below line into the end of file.Provide write permission.
rwcommunity public
noAccess (as opposed to notWritable) could be caused by your VACM view configuration in snmpd.conf. Look to the com2sec, group, view, and access directives. Respectively, these map a community string and source address/subnet to a security name; add a security name as a member of a VACM group; define an OID subtree as a named view; and finally indicate the access level for a given set of those other parameters along with security model and security level. If gets return noError but sets return noAccess, chances are good that one of these directives has configured your community string or your IP address for read-only access for what would otherwise be a read-write variable.
I have edited the access control section in snmpd.conf and it working perfectly fine for me,
########################################################################
#######
# Access Control
#######################################################################
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY
# KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO
# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
# By far, the most common question I get about the agent is "why won't
# it work?", when really it should be "how do I configure the agent to
# allow me to access it?"
#
# By default, the agent responds to the "public" community for read
# only access, if run out of the box without any configuration file in
# place. The following examples show you other ways of configuring
# the agent so that you can change the community names, and give
# yourself write access as well.
#
# The following lines change the access permissions of the agent so
# that the COMMUNITY string provides read-only access to your entire
# NETWORK (EG: 10.10.10.0/24), and read/write access to only the
# localhost (127.0.0.1, not its real ipaddress).
#
# For more information, read the FAQ as well as the snmpd.conf(5)
# manual page.
####
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
# sec.name source community
#com2sec paranoid default public
#com2sec readonly default public
com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
#group MyROSystem v1 paranoid
#group MyROSystem v2c paranoid
#group MyROSystem usm paranoid
#group MyROGroup v1 readonly
#group MyROGroup v2c readonly
#group MyROGroup usm readonly
group MyRWGroup v1 readwrite
group MyRWGroup v2c readwrite
group MyRWGroup usm readwrite
####
# Third, create a view for us to let the groups have rights to:
# incl/excl subtree mask
view all included .1 80
view system included .iso.org.dod.internet.mgmt.mib-2.system
####
# Finally, grant the 2 groups access to the 1 view with different
# write permissions:
# context sec.model sec.level match read write notif
#access MyROSystem "" any noauth exact system none none
#access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
# ------------------------------------------------------------------