Tuesday, December 14, 2010

Group policy for password changing

Here some nasty info, when adding a password policy to a ADS:

  • Password policy can only be set at the domain level.
If you like to have different password policies, you have to
  • create a subdomain
or
  • change to server 2008, where you can use Fin grained password poliy, that gives you the option for using different password policies.
or
  • You look out for a a 3rd party tool

What might be the technical reason for this ?

The whole login/authorization of windows (before windows 2008/Vista) is based on NTLM, which basically means you are logging on into a NT style domain.
So all users in that domain have the same (NT style) password restriction.

If all your systems are Windows 2008 or newer, then kerberos is used for authentication/logon, and here apparently password policies are applied as normal users would think.

Monday, November 15, 2010

Upgrading CentOS 5.4 to 5.5 32Bit DomU on a Xen 64 Bit Dom0

Normally upgrading centos is very simple by doing a
yum update

But when you run centos as a 32bit DomU under a 64 Bit Dom0 server, you will receive strange error messages.
This is due to the fact, that the rpm command looks at the installed kernel, and that one is a 64bit build. So it then trys to move everything to 32 AND 64 bit.
To prevent this, just create the file /etc/rpm/platform and place the line:
i686-redhat-linux
in it.
After this, all the yum rpm commands work fine, since they are fixed to the i386/i686 platform. No confusion about the 64bit kernel.

Wednesday, November 10, 2010

ipv6 in the wild

In the last year we did many steps toward ipv6 enabling our networks and servers.
Many things are simple, but there are also many pitfalls.

Here some infos about ipv6 in Ubuntu/Debian

- The Ubuntu distribution 9.04 and newer have good IPv6 support, most applications work with ipv4 and ipv6. Some applications however have problems with ipv6 addresses in some places. Here a upgrade to the most recent 10.10 release solves many issues.

- Debian, yeah, most things work fine in lenny, you can do most things you need, but there are still a few places where you may stumble. The real "full" ipv6 support is coming up in squeeze.

Here a two places where you might struggle:

- Assigning a static IPv6 address in debian lenny just does not work....
Nothing to worry about on workstations/desktops, but on firewalls and servers... it would be nice to always have the same ipv6 address assigned.
The reason for the problem is, that when the eth0 interface (or any other) is activated, the kernel module ipv6 is not yet loaded. So it's not possible to assign the ipv6 settings specified in the /etc/network/interfaces file.
The simplest solution is to just add ipv6 to the file /etc/modules (and rebuild the initramfs), that way ipv6 is directly loaded on boot and everything works as intended.

- RSYNC has only partial ipv6 support.
What does this mean ?
Rsync is able to resolve host names into ipv6 addresses and then connect to them via ipv6.
But if you with to specify the ipv6 address of the host directly on the commandline, then it fails parsing the address.
The simplest way to solve the problem is to install the rsync from the debian backports.

Don't forget, ipv4 addresses are running out in the next year, so prepare slowly to add ipv6 support to your network.
You don't have to do it in a big-bang way, rather just implement it step-by-step.

Monday, October 25, 2010

Collect linux statistics with collectd

Collectd is a great tool to collect various parameters of a running linux installation.

It can monitor disk space, cpu load, temperatures and much more.

One thing to note, is that collectd can cause system load by itself.
To prevent this, enable caching in the rddtools.

For more details read on in this post:

https://jeremy.visser.name/2010/02/23/enable-caching-in-collectd/

Thursday, October 21, 2010

IPSec VPN with AVM 7170 / 7270 and linux (Ubuntu) OpenSwan and Dnydns

With the current Firmware the AVM ADSL routers 7170 and 7270 support creating IPSec VPN's.
That makes them interesting for connecting remote offices, small point of sales etc. to the enterprise network, also when the remotes don't have a fixed IP address.

Unfortunately the documentation of the IPSEC stuff from AVM is "very limited".

TO get it working it's important to configure the correct settings in the VPN configuration file for the AVM routers.

The wizard for creating the VPN config files generates something like this:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dyndns.org";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


To be able to connect to a openswan/linux server, we have to twea some settings:


vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = yes; // Make sure the connections autostarts
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dnydns.org";
}
mode = phase1_mode_idp; // Change this from aggressive to normal mode
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // this is the compatible setting for openswan
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


In the avm documentation you see the possible combinations of phase1ss and phase2ss. It is important to know, that ONLY the listed combinations work. So you can't use other non-listed combinations. (Took me a whole day to figure out)

On the openswan side you have to define a connection like this:


# VPN connection for remote.dyndns.org
conn remotedyndnsorg
right=remote.dyndns.org
rightid=@remote.dyndns.org
rightsubnet=172.18.1.0/24
left=IP_OF_ENTERPRISE
leftsubnet=192.168.10.0/24
auth=esp
pfs=yes
authby=secret
dpddelay = 20
dpdtimeout = 60
dpdaction=hold
auto=start
keyingtries = %forever
keylife=45m
rekey=yes
ikelifetime=20m
compress=no


and of course in the ipsec.secrets you have to add the PSK

Currently we have a problem, that when the fritz boxes receive a new public IP,
the openswan does not always update the IP address for the connection.
This can be partially solved by upgrading to a more recent openswan version (2.3.16 or newer), which does a dns resolve when the vpn tunnel breaks.
But sometimes it still hangs in a state where it receives IPsec packets and drops them because they do not match the old resolved ip.

Wednesday, May 5, 2010

Hyper-V and current CPU's

You have a brand new installation, with a new server, ms windows 2008r2 server and hyper-v.

You see frequent blue screens (or unexpected reboots) with event log entries
like:

0x00000101 (0x0000000000000019, 0x0000000000000000, 0xfffff88001e5d180, 0x0000000000000002)


MS is aware of the problem and has a hotfix they provide on demand.

More details can be found here:

http://support.microsoft.com/?scid=kb%3Ben-us%3B975530&x=11&y=13


Looks like the Hyper-V stuff is still somewhat beta quality.

Thursday, April 29, 2010

Disable IE enhanced security in Windows 2008 R2 Terminalserver

One of the IE features in server environments is the enhanced user security setting.
For servers this setting might be ok, but for normal users in a terminalserver it's just not usable.

On the "Server Manager" screen you can specify for users and administrators if the enhanced security should be active or not.
First this is to turn this off for normal users.
If by chance this really has a effect on your users, be happy and enjoy it.

But if you are still reading, then probably disabling this setting for the users did not change anything.

To make it simple:

Login as user and run these 3 commands from the commandline:

Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenUser

Rundll32 iesetup.dll, IEHardenAdmin


This bug is only one year old, so please let MS some more time until they provide a fix for it.
(http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/c5572fc7-6e92-46f8-824d-baca246e3106)

Friday, April 23, 2010

Be (a little bit) god under Windows 7

Under Windows 7, just create a folder with the name

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}.


Now navigate to this folder with the windows explorer.
Software developers (even at MS) have some sense of humor :)

Friday, April 2, 2010

Connecting VDSL modem with Cat6 cable

if it's a Zyxel VDSL P-870M, then don't do it

Instead use the supplied ethernet cable (Cat5 UTP)
We did install such a modem and connected it to the firewall system (HP rack server) and did install the PPPoE stuff.
The PPP authentication did work, but then the modem stopped responding on the ethernet port.
We did even switch network port on the server, changed the cable against another cat6 cable, connected a serial terminal to the management port etc.

In a last try we did then plug in the supplied yellow cable.... and it worked.

The supplied yellow cable is a cat5 unshielded cable, with only 4 wires connected.
So probably the modem and server did agree to a gigabit connection when all 8 wires where connected, but then the modem miserably failed as soon as data did flow at gigabit speed.
On a 4-wire cable connection, the server and modem did agree to a 100MBit connection and that's probably the speed the modem is able to handle.

Saturday, March 13, 2010

Access your firefox settings from everywhere

Do you use FireFox as your webbrowser and use it on different computers ?
Then probably you also have the problem that the history, booksmarks and saved passwords are not the same on all systems.

Since a few month there is a reliable solutions to this problem:

Mozilla Weave (Also available directly via Add-On page)

It's a firefox add on which keeps your settings in sync between as many systems as you want.

Just install the add on and then create a Weave account and all your settings are synched to the mozilla weave server. (Don't worry, privacy is granted and data is encrypted, or, if you are paranoid, you can even install your own weave server)

On the second system, just install the add on and enter your credentials and then select if you wish to merge or replace the settings from teh server.

That's it. I have been using it since version 0.5 and since version 0.9 it's realy stable and very usefull.
Actully I sync 4 Installations with weave:
1. The computer at work
2. The laptop at home running ubuntu
3. The same laptop at home running (once a month) Windows 7
4. The Desktop at home (most of the time used by my children)

And weave just works as it should.

Tuesday, March 9, 2010

Linux and epson DM-D110 Display

In a project we had to switch over from a Windows XP based environment to a Linux based Pos system.

All components did work just fine (almost out of the box).
The main problem was the LineDisplay used to display the information to the clients.

It is a Epson DM-D110 with USB interface.
There is no linux driver available for that device from epson :(

So the lsusb command did show this:

Bus 003 Device 003: ID 1208:0780

Ok, no driver loaded for that usb device. I did google arround, but did only find a reference in the openbravo project, about using the usbserial module for that device.
We did some tests, but where not able to get it working.

After some more googling and looking at the windows drivers we did find out, that the chipset was in fact a ftdi with customized vendor and device id.

So after some trial and error we got it working by loading the ftdi kernel module for that device.

modprobe ftdi_sio vendor=0x1208 product=0x0780

This did create a /dev/ttyUSB0 which we then could use to communicate with the device.
To automate the module loading on plug events, just create a new file in /etc/udev/rules.d

File: 50-udev-default.rules
SYSFS{idProduct}=="0780", SYSFS{idVendor}=="1208", RUN+="/sbin/modprobe -q ftdi_sio product=0x0780 vendor=0x1208"


This website has some more info on this:

http://www-user.tu-chemnitz.de/~sontag/sprog.html

For a solutions also working with 3.12 and newer kernels, please read on here.

Tuesday, March 2, 2010

Storing binary stuff in database with tomcat

When storing binary data in a database, usually you do the following:

PreparedStatement pStmt= conn.prepareStatement("insert into FileData (FileData, BinData) values (?,?)");
pStmt.setString(1, fileDataID);
pStmt.setBinaryStream(2, fInfo.getInputStream(), fInfo.getSize());
pStmt.executeUpdate();


That works fine, but sometimes you can get this error when using it
with tomcat connection pooling:


java.lang.AbstractMethodError: org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.setBinaryStream(ILjava/io/InputStream;J)V


The reason for this is, that you passed the last parameter as a long, instead of a int.

This is the fix for it:
PreparedStatement pStmt= conn.prepareStatement("insert into FileData (FileData, BinData) values (?,?)");
pStmt.setString(1, fileDataID);
pStmt.setBinaryStream(2, fInfo.getInputStream(), (int)fInfo.getSize());
pStmt.executeUpdate();


Took half a day to figure out the problem.

Wednesday, February 24, 2010

Amazone MS Licencing deal

Strange news have been published recently:

News entry on information week

In short:

A company, using Linux systems/technologies pays some unknown license fees for "perhaps" patent violations, even MS not being able to prove anything...

So they probably just wish to prevent some treats from the big player in this business.

In other environments such stuff would be called "Protection racket", paying to prevent being harmed by the "stronger" player on the market.
With no proofs, no clear win for the one how pays....

Thursday, February 18, 2010

Windows 7 and Samba

Yet another post on the Windows 7 & SAMBA subject:

To be able to join Windows 7 stations into a Samba controlled domain you must do the following steps:

- Make sure you have samba version 3.3.4
We also did try with 3.3.9 and 3.4.3 but have not been able to get it working in our environment....

- In the registry of the windows 7 system change these settings

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"requirestrongkey"=dword:00000000



You should now be able to join the domain and login as well.

Open Word, Excel und PDF documents with wine

Normally you don't install (ms|open)-office under wine.
You rather have the full openoffice directly installed under linux.

To allow windows apps to open the files with the native openoffice applications you can do the following:

- Create a registry file containing your associations per application

For example

REGEDIT4
[HKEY_CLASSES_ROOT\.doc]
@="docfile"

[HKEY_CLASSES_ROOT\docfile\shell\open\command]
@="c:\\ooffice.exe %1"


[HKEY_CLASSES_ROOT\.xls]
@="xlsfile"

[HKEY_CLASSES_ROOT\xlsfile\shell\open\command]
@="c:\\ooffice.exe %1"

[HKEY_CLASSES_ROOT\.pdf]
@="pdffile"

[HKEY_CLASSES_ROOT\pdffile\shell\open\command]
@="c:\\pdfreader.exe %1"


Then import this with regedit.exe
Now create the helper applications under C:\ of your wine installation.

For example: ooffice.exe (Make sure it is executable chmod a+x ooffice.exe)

!/bin/sh
ooffice "`winepath -u "$*"`"


or for pdf:

#!/bin/sh
acroread "`winepath -u "$*"`"


What happens:

1. In the registry you tell windows what app to start for the corresponding file type
2. In the helper file ooffice.exe you start the native linux application
The helper application winpath converts a windows path into the corresponding linux path

Tuesday, February 16, 2010

More printing with freenx

Ok, so now we got remote printing working with freenx

What had to be done:

- Disable (or remove) apparmor from the server
- In the /usr/lib/nx/nxnode script, we did force cups=1 (Arround line 1096)

No idea why cups is not set, but once it's set we can print from gnome applications.

Thursday, February 11, 2010

Printing with FreeNX

In current Ubuntu environments with FreeNX installed, then printing does not work out of the box.
To get it working, we had to change two things:

* Create a symlink for /usr/lib/nx/nxsmb -> /usr/lib/cups/backend
* chmod a+x for /usr/lib/libnxredir.so.0

After this, it's possible to print to the remote printer.
What now is left, is telling gnome/kde to use that local cups server instead of the localhost one.

Welcome in my Weblog

In this blog I will post small tricks, experiences, nasty things and much more about computer technology usage.