Monthly Archives: January 2008

dell 2748 and cisco 6509 link aggregation – 802.3ad or etherchannel, not LACP

Once again cleaning up a pile of switches hanging off each other. I’m starting with taking a Dell Powerconnect 2748 switch and trunking it back to a Cisco Catalyst 6509. Run two network links with the intention of aggregating them. Interestingly this overview page says the 3448 and 2424 support “Link Aggregation with support for up to eight aggregated links per switch and up to eight ports per aggregated link (IEEE 802.3ad); LACP support” but the corresponding box for the 2748 is empty.

Under the tech specs for the 3448:

Link Aggregation with support for up to 8 aggregated links per switch and up to 8 member ports per aggregated link (IEEE 802.3ad)
LACP support (IEEE 802.3ad)

And the tech specs for the 2748 (which I have):

Industry-standard link aggregation adhering to IEEE 802.3ad standards
Supports 6 link aggregation groups and up to 4 ports per group

When configuring the two ports for a channel group:

configure terminal
interface range g7/1 – 2
channel-protocol lacp
channel-group 1 mode active

The ports would come up but I’d see intermittent packet loss on pings.

sw01#show etherchannel 1 detail
Group state = L2
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol: LACP
Ports in the group:
——————-
Port: Gi7/1
————

Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 1 Mode = Passive Gcchange = –
Port-channel = null GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = LACP

Flags: S – Device is sending Slow LACPDUs F – Device is sending fast LACPDUs.
A – Device is in active mode. P – Device is in passive mode.

Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi7/1 SP indep 32768 0x1 0x1 0x701 0x7C

Age of the port in the current state: 00d:00h:05m:09s

Port: Gi7/2
————

Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 1 Mode = Passive Gcchange = –
Port-channel = null GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = LACP

Flags: S – Device is sending Slow LACPDUs F – Device is sending fast LACPDUs.
A – Device is in active mode. P – Device is in passive mode.

Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi7/2 SP indep 32768 0x1 0x1 0x702 0x7C

Age of the port in the current state: 00d:00h:05m:09s

Port-channels in the group:
———————-

Port-channel: Po1 (Primary Aggregator)

————

Age of the Port-channel = 00d:00h:52m:26s
Logical slot/port = 14/1 Number of ports = 0
Port state = Port-channel Ag-Not-Inuse
Protocol = LACP

I’ve highlighted the interesting parts. The ports were coming up, but LACP wasn’t. I configured “LAG” on the 2748 by selecting the two corresponding ports on the “LAG Membership” page.

Doubting LACP support, I cleared the channel group configuration (no channel-group 1) and then configured only etherchannel support (channel-group 1 mode on). Now things look good!

sw01#show etherchannel 1 detail
Group state = L2
Ports: 2 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: –
Ports in the group:
——————-
Port: Gi7/1
————

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = –
Port-channel = Po1 GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x55 Protocol = –

Age of the port in the current state: 00d:00h:10m:40s

Port: Gi7/2
————

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = –
Port-channel = Po1 GC = – Pseudo port-channel = Po1
Port index = 1 Load = 0xAA Protocol = –

Age of the port in the current state: 00d:00h:10m:40s

Port-channels in the group:
———————-

Port-channel: Po1
————

Age of the Port-channel = 00d:01h:04m:04s
Logical slot/port = 14/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = –

Ports in the Port-channel:

Index Load Port EC state No of bits
——+——+——+——————+———–
0 55 Gi7/1 On/FEC 4
1 AA Gi7/2 On/FEC 4

Time since last port bundled: 00d:00h:10m:40s Gi7/2

So 802.3ad == Etherchannel (Cisco) == LAG (Dell). No packet loss now, if you remembered that problem.

I have to figure LACP is the open way to auto-configure ports for 802.3ad or Etherchannel, and is the equivalent to using PAGP on Cisco gear. This is useful if you want your switches to negotiate etherchannel if possible, thus allowing you to add multiple cables and increase bandwidth without heavy reconfiguration. This Cisco page on LACP says:

LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer.

As opposed to doing it by hand, which is plain old port aggregation. I wonder if in an older Cisco switch there’s an option for pre-802.3ad etherchannel and 802.3ad compatible eitherchannel. It’s interesting to note that in this switch the ‘switchport trunk encapsulation isl’ command doesn’t work on some cards as they only support 802.1q vlan trunking.

Really have to laugh at this errata though:

System Firmware Version 1.0.0.33

Known Restrictions and Limitations:
The login screen accepts any password with the default
username, admin.

I guess that’s a problem, yeah. It’s cool that this release was a year ago and the problem hasn’t been fixed. This is why we buy Cisco switches and not Dell switches people.

working at widemile and blogging in web 2.0 worlds (post bubble)

A few of you know I work at Widemile now as a Systems Administrator. For non computer people, that means I play with computers. For those who care, I spend some time doing helpdesk trying to keep employees happy, and then secretly make cookies in the server room…. or, well, try to build awesome scalability using lots of different tools. I like startups because there’s no corporate mandate that we use IBM such and such, or that we have to use Oracle or any business oriented requirement. Although at my last startup the thing with Oracle did happen, which was kind of silly, but that’s another story.

So I get to leverage useful and flexible stuff, which usually amounts to open source software, to make everything work like magic. On that note, props to Adam and team at HJK Solutions for iclassify and being generally classy folks. If you’re scaling anything up at a startup, you need these people in your life, I’ll vouch for it.

The tech stuff is only interesting to tech people who are used to facing situations where people want miracles. My father was a commercial pilot and used to always say “We’ve been doing so much, with so little, for so long, that now we can do almost anything with nothing at all.” It’s pretty true, as most people just don’t get their desktop, let alone what goes on in the server room.

One of the things I find cool about widemile is that we have a professional blogger, Billy Shih, working for us. Billy blogs on all things multivariate testing related. I see more and more companies joining and building communities, sometimes in cool ways like Dell Ideastorm. While at times company blogs are well written and come off more corporate than organic, it’s great to see real information and opinions come out of a place that you work for, rather than highly positioned marking pieces that always make me, and I assume most of my peers, immediately glaze over. As an employee I also get a weekly email from him about what the tubes are up to. When I listen to colleagues talk about weekly HR emails about new policies against using off-white paper for clients whose names begin with the letter P, I feel fortunate to be in a place with real culture and humanity.

ssh key generation: rsa or dsa

Who knows? I wanted an educated response but couldn’t get one from any of the security people I know on irc.

Putty used to hate DSA but now just has a warning against DSA. Simon Tatham explains the choices a little further in a comp.security.ssh thread.

[05:37pm|fR> btm: my understanding has been that dsa was used because rsa used to be patented or something

There’s a good thread, even with Grumpy Theo comments here as to the patent (US Patent #4405829). US Patents are good for 17 years so being issued on Sep 20, 1983, means it would have expired about Sep 20, 2000. RSA did this funny press release about putting the patent in the public domain, so very nice of them, on Sep 7, 2000. It’s funny, I remember this being in the news back then… back in the day.

I saw somewhere that DSA was a little bit faster, but it was random group post somewhere that I didn’t care to link to. It was only a LITTLE bit faster, like, 300ms maybe. Whereas DSA keys could possibly suck from poor entropy from having a broken pseudo random number generator, and RSA is no longer patent encumbered, fully supported by ssh2, and has been kicked around by the cryptographic community for quite some time, I’m going to use RSA2 (which I assume is just the SSH2 implication of RSA). I forget right know what sucked about ssh1 rsa, but it sucks, and I’d recommend disabling support for ssh1 in your gear whenever possible.

office live communications server 2007 and public IM connectivity

Office LCS 2007 (Live Communications Server 2007) has a feature that’s referred to as PIC, or Public IM Connectivity. It looks like a feature that was in LCS 2005 as well, perhaps only after a service pack. It’s federation support to connect to MSN, AOL and Yahoo. I’m on Google Talk (jabber) and AOL IM (AIM) daily, so I use Pidgin (formerly GAIM) which is so much cleaner than the other IM clients, supports most IM protocols and supports a really nice tabbed messaging window.

I needed to contact a consultant that uses MSN today, and rather than install MSN Messenger and try to remember my password for it, I figured I’d setup the IM stuff.

Nope.

It’s not that they reverse engineered the protocols or got a license to use the protocols or anything like that, they actually federate right into those companies networks, into the mess of it.

See Microsoft’s article about enabling PIC. Man. At the very least can’t everything support jabber? Vendor lock in for the lose.

550 5.7.1 RESOLVER.RST.AuthRequired; authentication required

Weird Exchange 2007 errors. I had a system that was sending updates via smtp but not working. I whitelisted the IP address of the server on the edge server under anti-spam, like you do, but the hub transport started denying the message with “550 5.7.1 RESOLVER.RST.AuthRequired; authentication required”. It took me a while to notice that I was getting the 5.7.1 error on the Hub Transport role rather than the Edge role, as I’ve grown used to having to log into the Edge role to deal with any anti-spam stuff (5.7.1 means anti-spam).

Turns out on the Hub, EMC, Recipient Configuration, Distribution Group, Properties of the Group, Mail Flow Settings Tab, Message Delivery Restrictions, Properties there is a check box for “Require that all senders are authenticated”.

That is far, far too many levels deep for a new default setting.

http://ticket/Display.html bug in request-tracker

After installing request-tracker3.6 on debian etch via the package, the ‘RT at a glance’ screen has default search named ’10 highest priority tickets I own’ (or ‘[_1] highest priority tickets I own’). The ticket # column links fine but the subject column creates links like: ‘http://ticket/Display.html?id=13’ that lack the hostname. This is due to a bug in initialdata:

/etc/request-tracker3.6/initialdata contains on line 595:

"$RT::WebPath/Ticket/Display.html?id=__id__\">__Subject__

When it should contain:

"$RT::__WebPath__/Ticket/Display.html?id=__id__\">__Subject__

Which is setup when you first create your database. I see a report of fixing it with rt-setup-database that lacks instructions on how to do so.

I finally found instructions here which amounted to:

1) Use mysql (mysql, then ‘use rtdb;’ or whatever the name of your db is) to find the id of the search entry: ‘select id, Name from Attributes WHERE Name = ‘Search – My Tickets’;’
2) Delete this entry: ‘DELETE FROM Attributes WHERE id = x;’ where x is the ID from above
3) Put the following in a file named repair-search:


@Attributes = (
{ Name => 'Search - My Tickets',
Description => '[_1] highest priority tickets I own', # loc
Content =>
{ Format => "'__id__/TITLE:#', '__Subject__/TITLE:Subject', Priority, QueueName, ExtendedStatus",
Query => " Owner = '__CurrentUser__' AND ( Status = 'new' OR Status = 'open')",
OrderBy => 'Priority',
Order => 'DESC' },
},
);

4) run ‘ rt-setup-database –action insert –datafile repair-search –dba rtuser’ where rtuser is the name of your rtuser.

Things just worked after this, no need to restart apache or clear the mason cache or anything.

It was an upstream bug, debian bug here, references in RT #7637, #7657 and #7854.

synergy pseudo-kvm

I’d heard about synergy in the past but never tried it. It lets you share one keyboard and mouse over multiple desktops. Double-coolness because it should work both on windows and linux boxes. I’ve got two XP boxes on my desk, I used to only run one dual-head and run another box for gaming and a server. I finally got around to making them both dual-head tonight on flat panels as I’ve replaced the server with some consumer NAS gear that’s much quiter.

Worst part of synergy was figuring out how to config it. Keep in mind you need a link for both directions, that is, one to go from every computer to every other computer and back. I left the percentages alone. “Screens” are the host names of the computers (having multiple monitors is still one screen), which you can adjust from the defaults if you wish before you hit start under advanced.

Slick as snot though, I can move the mouse across all four monitors (two XP boxes) and use the keyboard on both.

Of course you can’t move windows between the boxes but the clipboard seems to work, which totally solves my problem of having an IM or IRC on a different box than I’m browsing the web on.

ldap auth for request-tracker3.6 on debian etch

The debian request-tracker3.6 package puts things in different places than request tracker expects.

If you haven’t yet run ‘zless /usr/share/doc/request-tracker3.6/NOTES.Debian.gz’ do so now!

At first after following the steps outlined here on the bestpractical rt wiki for the LDAP Overlay I was befuddled by not seeing any LDAP traffic. After taking a look in /var/log/syslog, I noticed an ldap request when I logged into the local root account but not when I tried to log in as an LDAP user and realized that RT doesn’t bother trying to Auth LDAP if the account doesn’t exist locally so you need to use LdapAutocreateAuthCallback but where do you put it on debian etch?

/usr/share/request-tracker3.6/html/Callbacks/LDAP/autohandler/Auth

Auth is the filename, and you may need to create those folders.

logs for a local user:

syslog:Jan 23 09:11:12 hostname RT: Trying LDAP authentication
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsLDAPPassword AUTH FAILED: root (/usr/share/request-tracker3.6/lib/RT/User_Local.pm:184)
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsPassword auth method IsLDAPPassword FAILED

failing logs for an ldap ONLY user:

Jan 23 09:27:12 hostname RT: FAILED LOGIN for btmsldapuser from 10.0.0.60 (/usr/share/request-tracker3.6/html/autohandler:238)

My configs follow:

# RT_SiteConfig.pm
#
# These are the bits you absolutely *must* edit.
#
# To find out how, please read
# /usr/share/doc/request-tracker3.6/NOTES.Debian

# THE BASICS:

Set($rtname, ‘host.domain.com’);
Set($Organization, ‘domain.com’);

Set($CorrespondAddress , ‘rt@domain.com’);
Set($CommentAddress , ‘rt-comment@domain.com’);

Set($Timezone , ‘US/Pacific’); # obviously choose what suits you

# THE DATABASE:

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘rtpassword’);
Set($DatabaseName , ‘rtdb’);

# THE WEBSERVER:

Set($WebPath , “”);
Set($WebBaseURL , “http://host.domain.com”);

# Authentication

### What auth methods do you like and in what order?

Set($AuthMethods, [‘LDAP’, ‘Internal’]);
#Set($AuthMethods, [‘LDAP’]);
### LDAP Settings
#
# There are two different branches of this: LdapAuth* and LdapInfo*;
# additionally, most of the old Ldap* variables are honored, too.
#
# This means if you only have one LDAP server/config you can just set
# “LdapServer”, “LdapUser”, etc. and they will be used for both
# authentication and information

### Enable/Disable LDAP services
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

### Common Settings: affecting both auth and info services

# Should we create accounts for users who aren’t in LDAP?
Set($LdapAutoCreateNonLdapUsers, 1);

# Map RT attributes to LDAP attributes
#
### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
### IT TO MATCH YOUR LDAP SCHEMA! See http://wiki.bestpractical.com/view/LdapAttrMap
### to learn how to set this variable properly for either LDAP or Windows
### Active Directory.
Set($LdapAttrMap, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘HomePhone’ => ‘homePhone’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘PagerPhone’ => ‘pager’,
‘Address1’ => ‘streetAddress’,
‘Address2’ => ‘postOfficeBox’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘FreeformContactInfo’ => ‘info’}
);

# A list of RT attrs which can uniquely identify a user,
# ordered from most to least preferred.
Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

# A list of LDAP attrs to examine when canonicalizing email addresses,
# ordered from most to least preferred
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);
# A list of prefixes to apply to email address matches.
# Windows 2003 AD uses prefixes or smtp: or SMTP:.
# If not required just leave ”
Set($LdapEmailAttrMatchPrefix, [”, ‘smtp:’, ‘SMTP:’] );

# The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
Set($LdapServer, ‘ldap.domain.com’);
Set($LdapBase, ‘dc=domain,dc=com’);
Set($LdapFilter, ‘(objectclass=*)’);
#Set($LdapFilter, ‘(objectclass=posixAccount)’);
# Windows 2003 Active Directory does not allow anonymous LDAP binding
# thus you must pass Net::LDAP a username and password that has
# access to read the directory.
#
# You may also need to specify the full distinguished name instead of
# just a username for LdapUser below.
# e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
#
Set($LdapUser, ‘binddn’);
Set($LdapPass, ‘bindpassword’);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

# These turn on SSL for LDAP
#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###

### Authentication settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ”);
#Set($LdapAuthPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);
# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, ‘ldap.example.com’);
#Set($LdapInfoBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapInfoFilter, “(objectclass=posixAccount)”);
#Set($LdapInfoUser, ”);
#Set($LdapInfoPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapInfoDisableFilter, ‘(employmentStatus=Terminated)’);

# These turn on SSL for LDAP
#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);

1;

and my apache2 config:

NameVirtualHost *

ServerName rt.domain.com
ServerAlias rt
ServerAdmin admin@domain.com
AddDefaultCharset UTF-8

PerlModule Apache2::RequestRec Apache2::compat
PerlModule Apache::DBI
PerlRequire /usr/share/request-tracker3.6/libexec/webmux.pl
PerlSetVar MasonArgsMethod CGI

DocumentRoot /usr/share/request-tracker3.6/html
SetHandler perl-script
PerlHandler RT::Mason

RedirectMatch permanent (.*)/$ http://rt.domain.com$1/index.html

ErrorLog /var/log/apache2/rt.error.log
LogLevel warn
CustomLog /var/log/apache2/rt.access.log combined
ServerSignature On

hacking debian repository release file

I’ve posted recently about doing local debian pxe preseed installs and using apt-mirror for multiple architectures. I went back today and had the network install failing because I had removed the release file to get an additional repository working that I had created for locally maintained debs like a vmware-server created with a backport of vmware-package.

There just isn’t good information out there on creating the Release file. You’ll need:

d-i debian-installer/allow_unauthenticated string true

in your preseed file or the installer will fail with an error that doesn’t make sense until you look at the log on vty4 and see it’s not finding the Release.gpg signature. This seemed infinitely easier than trying to get signing working locally and then pushing out the public in the initrd. Since the initrd comes from the same server, elite haxors have already won the chicken or the egg problem anyways, and if they want to try that hard they can and I’ll go get a beer instead.

Originally I took the Release file and removed everything from MD5Sum: down, modified the architecture and components line, but I was getting a “bad d-i packages file” error from the installer. Recreating from the original release file then simply changing these two lines and leaving all of MD5Sum: in worked okay. I didn’t bother looking at the code to see why. This just worked for me and most of the posts on the internet about “bad d-i packages file” referred to bad installs from CDs that were bad burns.

MCTS 70-620

I passed 70-620 today, which was my first MCTS exam. It’s just Vista configuration, pretty easy test, although I was amused by how consumer focused this stuff is now which crap like windows media and whatnot. They really are going for a three tier model like Cisco, although I’ll never bother with the MCA while I’d like to get a CCIE some day.

It was a lame test, I should have taken 70-624 which is about the new Business Desktop Deployment software which I’m hoping is RIS done right, although I haven’t used it yet. I guess that’s why, I’ve been using Vista a bit since I’m supporting it at work now. Either meets a pre-requisite for the upcoming MCITP: Enterprise Administrator, which looks like the next certification to replace my MCSE: Server 2003 cert. I guess I just took the easier route. I think the other Server 2008 exams are out, but I’m not using it yet. I don’t know if I’ll get more Vista certs for the MCDST equivalent next or go back to something harder like Cisco or LPI. Upgrading to an LPIC-3 or finishing my CCNP would probably be a better use of my time.

att tilt tethering done simple and cheap

I have an AT&T (Cingular) (HTC) Tilt with Windows Mobile 6. There’s some extra charge for tethering, I don’t know anything about that. This is kind of like the GPS in it they want you to buy Telenav or something, but it works out of the box with google maps mobile if you download it. I used the QuickGPS in the control panel somewhere to make it gps-lock faster, but that’s another converation.

Anyways, I have a laptop with ActiveSync 4.5 installed running XP Pro SP2. When I connect the phone using USB, activesync wants to sync it, which is slightly annoying because it only supports profiles for two computers, so syncing to my home desktop, work desktop and laptop is a no-fly zone.

ipconfig will show a 169.254.x.x address with no dns and the gateway pointing back to the computer with the phone I believe as a dhcp server

Anyways, if you use File Explorer on the phone to navigate to \Windows, you’ll find ‘Internet Sharing’. I haven’t figured out how to make a menu option yet, I assume there normally is one but it’s removed as Cingular wants to get that extra fee out of you. If you run this, leave it on USB and Medianet and hit connect, you’ll see it disconnect on your laptop and Windows will redetect it as a as windows mobile based internet sharing device.

ipconfig will now show a 192.168.0.x address with gateway/dhcp/dns of the phone. I assume it’s NATing. Cisco AnyConnect SSL VPN works fine through it at least, I haven’t tried anything IPSEC based though.

It looks like activesync doesn’t see the phone anymore, I figure we need to choose disconnect in Internet Sharing on the phone to make the usb cable go back to normal mode.

scripting password changes over ssh

Lots of examples on the net for scripting password changes using sed and perl and all kinds of other crap, easier is to use chpasswd:

bash# for host in host1 host2 host3; do ssh $host ‘echo root:newpassword | chpasswd’ ; done

newpassword is in cleartext. looks like there’s an option on chpasswd to use DES or something instead, I just needed to set these all quickly and move along. you’ll have to deal with ssh authentication yourself like either typing in the password or keys or whatever.

was unexpected at this time – windows batch scripts

Haven’t had to write batch scripts for a while, forgot the FOR syntax. Most annoying was remembering that the variable name can’t be more than a character, such as:

for /L %foo in (1,1,254) do echo %foo
%foo was unexpected at this time.

If you just change foo to x it works fine, i.e. for updating dns entries quickly:

for /L %x in (1,1,254) do dnscmd domaincontroller /recordadd yourdomain.com 192.168.10-%x.vpn A 192.168.10.%x
for /L %x in (1,1,254) do dnscmd domaincontroller /recordadd 10.168.192.in-addr.arpa. %x PTR 192-168-10-%x.vpn.yourdomain.com.

Note that the later creates leafs with records using @ (parent folder). This is visually annoying. I don’t know another way to do it. Seems to work find and for whatever reason other entries start to follow this tree like automatically registered DNS from clients. Not that YOU are using dns to track if an IP address is available or not anyways.

2724 user name or password is missing

While trying to document a network I couldn’t get into a dell powerconnect 2724. Every time I tried to log in I got a “user name or password is missing” error. The switch was in production so I couldn’t try to reset it to defaults and I needed to see the vlan configuration in the first place. I ended up emailing another administrator who I thought had set it up and he replied with a username/password I had tried. A few minutes later he said he had to do it from a machine without Avast installed.

I tried it today and sure enough avast resident protection breaks things. The TCP streams are interesting to take a look at, looks like avast might be throwing a spurious return in the http request so the username and password are being sent in a separate segment. Disabling resident protection makes everything work normal again.

Armed with avast as a search term, it looks like a common problem. The 2748 works fine over http. It does use different post variables and doesn’t appear to bother to encode the passwords. I assume that was base64 encoding on the 2724.

upgrading windows server 2003 to R2

I think this was easy to find, but I was really happy to find this kb article late last night. If you haven’t installed 2003 R2 before, it’s basically a 2003 install with a 2nd CD that installs the R2 parts. The cool part about this is you can upgrade a 2003 server to R2 with just the 2nd CD. The article has a bunch of edge cases but basically if you have 2003 SPx Standard, you can upgrade to R2 just by running the setup on the 2nd R2 CD. It’s worth noting that the install warned that I would not be able to uninstall the service pack after the upgrade.

I had a server that needed to be R2 as it was x64 and someone else had built it, installed updates, done the dcpromo, etc. I had to be R2 as SFU (Services For Unix) won’t install on x64. I tried. It said no. Fortunately R2 has parts of SFU built in, rebranded as Identity Management for Unix. Upgrading to/Installing R2 x64 was pretty easy, except that I got nervous when a .NET Framework child install took forever and provided no progress indication.

R2 provides RFC2307 compliantish schema updates that allow putting uid/gid/shell/etc into LDAP. There’s even an ADUC tab called “Unix Attributes”, but I didn’t see anything more enterprise. It just assigns the next available uid starting at 10,000 out of the box. It’s really part of this “NIS Server” functionality, so if you’re a NIS shop it may be easy to tie the bits together. DO NOT Install ‘Password Synchronization’. You don’t need it for NIS/LDAP, and it appears you have to demote to remove it.