Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

How to have root access to callmanager 6.x and 7.x Testing

CesarFiestas (Vendor) (OP)
21 Sep 08 20:47
-This processes are to be used at your home lab only, unless you really
know what you are doing, and this instructions should be use for
educational and testing purposes only!!. Cisco Unified Communications Manager
File Structure is an extremly secure file structure system, although you should always protect and monitor
the physical access to the location of your Nodes/Unfied Communications
Manager server's.
-This test was performed in a MCS 7816 H3 server in a Lab and not in a operational cluster, although
I used 3 Cisco IP phones, to simulate normal operation with total success, 1 Cisco IP Phone 7940, 1 Cisco IP Phone 7960, 1
Cisco Wifi Phone 7920.
-This process should take between 10 to 15 minutes.
-Please read this document in it's entirety, before performing any test.
-Lastly you should never do this in a working Node, instead if you are experiencing
problems such as booting, database errors, etc, you should try to use another options such as, use your System
Recovery CD or better yet contact TAC and speak with a knowledgeable Cisco Engineer.


There is 2 ways to do this.

-One is to modify the permission of the grub configuration using a Knoppix CD, then
becoming a "semi" root and then injecting the newly created user to the shadow
and passwd files. Now this option is also a great option specially
when you have 2 versions Of Unified Communications Manager running
on the BOX, for example UC 6.X in the inactive partition and UC 7 in
the active partition, the complete process will be in the other lesson :), this process
is a little bit complicated but it works like a champ when you have
2 versions running in the server, also you will need to know the
partition structure to boot up succesfully, although after trying
couple of times I found out that you will need to boot from the
/dev/sda2 single to gain complete access, if you boot from another
sda's, root will not perform as "super root" this one took me a
while to find out.

-Before proceeding I am assuming that you have already a working
Unified Communications Manager 6 or 7 running in an approved MCS server.
-Download an iso of CentOS 5.2 CD DIsk 1
-Transfer the image to a CD
-Insert the CD into the Drive
-Turn on the Server
-Let the server boot from the CD
-On the CentOS startup screen, type linux rescue and press enter
boot: linux rescue
-Select the appropiate language
-Select the Country
-Select if you want to start the network service or not, if so
-Highlight eth0
-Configure eth0
-Continue the pre-boot process
-The server will continue the booting process until you are in the shell
-Once in the shell type
#chroot /mnt/sysimage
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#useradd [enter a desire username] <---such as cesar
#passwd [enter the newly desired username]  <----this will create a password for the new user twice
#usermod -g root [your new username]  <---this will add this user to the root group, although
you are not a real superuser, but you can move around freely connecting to the unified communications
manager console.
#service network start  <---this will really start the network services
#service sshd start <-----this will start the ssh server
#ifup eth0 <------this will turn up the eth0 for sure!

Great, we are almost done, now while you are here you can do the following

-Mount a USB Drive for example, so you can copy files between the server and your USB drive.
-To do this.
-Insert the USB drive
-while on the shell type
#cd /etc/dev
#ls
-Look for the newly mounted USB drive, it should be something like (sdb1), if so proceed to mount the
usb drive by doing the following:
#mount sdb1 /mnt/usb
-Your USB drive should now be mounted and ready for use.
You can also mount the USB drive permanently as well, but thats on a later lesson...

-Remenber that this newly created account it will not let you do much, but you can browse around while
using the new user and remotely via ssh. Now if you want to modify a file remotely and this file is
secured..You may need to log in as root first, change the permission of the file, so you can later
modify the file using the new user account you just created. How to change a file permissions?
#chmod 777 [filename]

-It will be a good idea to put the file back to the original permissions settings after you have
modify it, this just to keep the integrity of the file structure.

:::::::::::::::::::::::;Please read carefully before doing anything else:::::::::
Anything you do from here it may cause the Unified Communications Manager not to start!!

-Now while on the root shell you can change the permissions on any file you want to modify, remenber
you cant do this on the user you just have created...this is because you will still need to move out
the root account out of the equation by doing the following
#usermod -u 20000 root
#usermod -u 0 [your new username]
****NOTE:At this point you are now the super user of the box, but when you do this Unified communications
Manager may not start properly...So BECAREFUL!!

-Also while in root we can go ahead and modify iptables for example to install webmin and manage the box
via web port 10000, although you may need to install couple of other scripts, but not hard. Also if you
are not a "vi" fanatic, go ahead and install nano via usb or by using the wget command, again you may
also need some other scripts to run nano, and of course access to the internet.

*Also FYI

The platform user belongs to the following groups.
administration
sftpuser
platform
tomcat
ccmbase
ccmsyslog

The root user belongs to the following groups.
Wheel
root
bin
daemon
sys
adm
disk

-Remenber how you allocate your user and groups, it will mandate it's access.

*****************UPDATE*************************************


After reviewing several corners, I thought, wait why add another user, play
with the groups allocations and all that, when can just access the Unified Communications
Manager like a member of Cisco TAC would?, I mean what I am trying to accomplish
here is to access the box and at the same time maintain the integrity of the box
as much as possible, without modifying too many things on the UCM server platform

So, I will call this the Remote Account Process.

On a working server or environment we will do the following:
-Connect to the UCM Console using an SSH Client
-Proceed to a enable a remote account
 admin:utils remote_account enable
-Proceed to create a remote_account user
 admin:utils remote_account create [ournew_remote_account_username] [amount of day's that
we want this account to remain active]
 example
 admin:utils remote_account create ciscotac 30
-the above example will create a remote account user named ciscotac and it will be valid
for 30 days.
-Once we have succesfully created a remote_account we will proceed to reboot the server
cleanly.
 admin:utils system restart
-Proceed to insert the CentOS 5.2 Disk 1
-on the Boot option enter linux rescue
 boot:linux rescue
-Once you are in the linux shell
-Proceed to do the following
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#passwd [enter the username that you have created for the remote account user]
-Enter the new password that you want for the new remote account user twice
-eject the CentOS 5.2 DISK 1
-Reboot the server by doing the following
#shutdown -r now
-Once Unified Communications Manager have completed rebooted, simply using an SSH
client login to UCM using the remote account username and password, you will see
the following message

Welcome to Remote Support

[root@CTICLTLAB1 ~]#


Document Revised by Cesar Fiestas





 

Cesar Fiestas
Network Engineer

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close