Posts tagged Putty
If you ever needed to troubleshoot login issues with the Netscaler, you know that you have to drop down to the Command Line Interface (shell) in order to trace the aaad.debug log.
But what if you need to give your helpdesk access to the same logs so that they can troubleshoot login issues? Well, that requires that you give them shell access.
But, as per Citrix, “If a user goes to the shell, that user is already a root user”, and we sure wouldnt want our helpdesk techs having root access to our Netscalers. So how do we give them enough access to troubleshoot but not have root, we can create a “Command Policy”
A “Command Policy” is what tells the Netscaler what a user can and cant do, for example, the command policy for “superuser” is “ALLOW .*” (that’s a period and an asterisk which is Regular Expression for “Any Character”), that means the user with the command policy of superuser can execute any command.
Now to create the command policy for the Helpdesk
- Log in to our NetScaler using a superuser account
- Under the System Folder, select “Command Policies”
- Click the “Add” button and name your new policy “HelpDesk”, make sure that the “Action” is set to “Allow” and enter the following expression under “Command Spec”
1^shell (cat (/tmp/|/var/log/)[a-zA-Z]*\.(log|debug)|ls (/tmp|/var/log))$
Now we have to assign our new policy to our Helpdesk group. Since my NetScaler is “LDAP enabled” for login in, all I have to do is create a group, assign my new policy, and done. (If your Netscaler is not LDAP enabled, then you will have to go and create users manually and assigning them to the group we are going to create bellow)
- Under the same “System” folder, Select “Groups”
- Click the “Add” button and name your new group “NetScaler-HelpDesk” (It has to match exactly what your helpdesk group is called in LDAP, in my case I have a group called “NetScaler-HelpDesk”)
- Under the “command policies” window, pick your newly created “HelpDesk” Policy, then hit the “Create” and then the “Close” button
- Now Fire up putty and try to login with one of your HelpDesk user ID’s, you will see that you can only trace “log” or “debug” files and only in the “/var/log” and “/tmp” directories
Thats all there is to it. Now your Helpdesk can troubleshoot NetScaler log in issues while you concentrate on fixing other things
I run virtualbox for my personal VM solution, and the problem is sometimes you need to access the serial port on those virtual machines. I have never found an easy way to do this, but then i saw a post that gave me an idea. Over on VMware Forums back in 2004 someone posted that to connect to serial named pipes, they just type in the pipe name as the serial port.
So i went about trying to figure out how to configure that in VirtualBox and it worked, so now i’ll share with you my configuration:
- Open up VirtualBox
- Go into Settings
- Select Serial Ports
- Click on “Enable Serial Port”
- For port number, select the port of the virtual machine that you want to conect to, in my case its “Com1”
- For port mode, select “Host Pipe”
- Check the “Create Pipe” box
- For Port/File Path fill it in with the following value:
com_port_name can be whatever name you want to give it
- That is it on the VirtualBox side, now to configure Putty!
Connecting with Putty
- Open Putty
- Under connection type, choose “Serial”
- In the “Serial Line” text box put in the name of the pipe that you used in the Virtual Serial port setup, in our case \\.\pipe\com_port_name
- Leave the “Speed” setting at 9600 and hit connect
- once the window comes up, you should start seeing output from your virtual serial port, if you dont, hit enter once and voila!
Thats all for today!!