Category Archives: Uncategorized

jboss ha weirdness

I don’t know enough about jboss to make an intelligent keyword filled post about this, but I wanted to note that while troubleshooting jboss ha-jndi jms crap, make sure that telneting to port 1099 produces an fqdn. on a couple servers /etc/hosts had a different hostname portion of the fqdn than the hostname alias, and this silently broke JMS. Telneting to 1099 revealed this, or at least, indicated it was dns related as working boxes were giving an fqdn while non working boxes weren’t. I think jgroups isn’t friendly with dns over all.

configuring vmware guest time synchronization

I really want a google certification. That is, a certification that says I am an expert googler. To the uninitiated, google may seem like a simple thing, but finding what you really need usually isn’t.

I saw this forum post while trying to figure out how to configure vmware guest time synchronization with scripts running off of vmware server. Something wasn’t write though:

# vmware-guestd –cmd ‘vmx.set_option time.synchronize.tools.startup 0 1’
Unknown option name

So I went and grabbed the new open-vm-tools source. In ‘lib/include/vm_app.h’

#define TOOLSOPTION_SYNCTIME “synctime”
#define TOOLSOPTION_COPYPASTE “copypaste”
#define TOOLSOPTION_AUTOHIDE “autohide”
#define TOOLSOPTION_BROADCASTIP “broadcastIP”
#define TOOLSOPTION_ENABLEDND “enableDnD”
#define TOOLSOPTION_SYNCTIME_PERIOD “synctime.period”
#define TOOLSOPTION_SYNCTIME_ENABLE “time.synchronize.tools.enable”
#define TOOLSOPTION_SYNCTIME_STARTUP “time.synchronize.tools.startup”

Trying combinations of the last two did nothing, but I did have vmx.set_option as a search term though and eventually found this post that just uses:

vmware-guestd –cmd ‘vmx.set_option synctime 0 1’

Nothing appeared on the screen when I ran this on a guest, but I did notice that the vmx file for the guest on the host automatically changed from:

tools.syncTime = “FALSE”

to

tools.syncTime = “TRUE”

I thought I was going to have to write a sed script and have puppet change all the vmx files and do a reboot of all the guests. Much happier now.

stupid vim notes

I really need to just put my vimrc in a git repo on the tubes somewhere. I’m always forgetting these things. I’m not hardcore about custom configs, but this stuff really helps. If you’re not familiar with these things, this helps.

my ~/.vimrc file usually looks like this:

syntax on # enable coloring for source and scripts
set tabstop=2 # make tabs two spaces instead of five or whatever
set expandtab # uses spaces instead of tabs
set background=dark # make that dark blue text light blue because I use black backgrounds

When you open a dos text file on a unix box, sometimes it’s full of ^M characters. This is because of the CR/LF or CR difference. Sometimes it’s just visually annoying and distracting, sometimes a daemon crashs and burns because of them. I used to use :set filetype with unix/dos or something to convert files. These days I just open the file in vi/vim and do

:% s/^M$//

You need to enter the ^M by typing CTRL+V then CTRL+M.
:% means all lines
s is a substituion regex
^M$ is what you want to match, the $ meaning ‘at the end of the line’
the emptiness inside the // means you want to replace ^M with nothing

then save the file. ( :wq )

getting hostnames between vmware hosts and guests

The vmware-tools are open source now. There’s a open-vm-tools package for lenny/sid, but not etch. There are people out there who have back ported it.

This package appears to make a ‘guestinfo.ip’ variable, which is a method for passing data between the host and guest without networking. There does not appear to be any variables for the hostname of the guest or the host by default, which is REALLY, REALLY dumb. You can make one though.

guest$ /usr/sbin/vmware-guestd –cmd ‘info-get guestinfo.ip’

This is really awesomely funny:

guest$ /usr/sbin/vmware-guestd –cmd ‘info-set guestinfo.hostname’
Two and exactly two arguments expected
guest$ /usr/sbin/vmware-guestd –cmd info-set guestinfo.hostname
Too many mandatory argument(s) on the command line. The maximum is 1.

[04:00pm|btm> HA HA HA HA HA
[04:02pm|jet_li> btm: welcome to my world
[04:02pm|jet_li> btm: here’s a hint. typing harder won’t help
[04:03pm|jet_li> btm: neither will profanity, or throwing things

This does work:

guest$ /usr/sbin/vmware-guestd –cmd ‘info-set guestinfo.hostname foo’

Then on the server you can run ‘vmware-cmd -l’ to list your config files. Then run:

host$ vmware-cmd ‘/path/to/config.vmx’ getguestinfo hostname

And you get:

getguestinfo(hostname) = foo

Now go do something useful with it (I’m going to use it with iClassify and puppet.)

getting a debian-installer ssh shell the hard way

There has to be an easier way…

Boot up into the installer, grab a vty2. (ALT-F2)
anna-install network-console (installs ssh)
network-console-menu (set password)
nano /etc/passwd (set shell to /bin/ash for installer user)

now you can ssh in as installer. if you don’t use network console and just install openssh-server-udeb, you don’t get hostkeys and config files. network-console-menu generates the hostkeys for you. if you don’t change the shell you’ll get dumped into the network-console menu when you ssh in, which is okay if that’s what you want.

all this just to: ‘tar -cvf – . | ssh installer@w.x.y.z tar -xf -C /target’ meh.

creating debian release files for a local repository

In the past I’ve tried to hack the release file with sed, this works better. Namely my local repo’s packages files were not in the Release file, and apt was getting upset about that now that I’m using signatures (SecureApt).

Somewhere make an apt-release.conf (copied and modified from here):

APT::FTPArchive::Release::Codename “etch”;
APT::FTPArchive::Release::Origin “localhost.example.com”;
APT::FTPArchive::Release::Components “main”;
APT::FTPArchive::Release::Label “Local Debian Repository”;
APT::FTPArchive::Release::Architectures “i386 amd64”;
APT::FTPArchive::Release::Suite “stable”;

The use apt-ftparchive to create the release file:

apt-ftparchive release -c /path/to/apt-release.conf \
/path/to/etch \
> /path/to/etch/Release

Then sign it: (you do have a local key and all that jazz, right?)

gpg -b /path/to/etch/Release
mv /path/to/etch/Release.sig /path/to/etch/Release.gpg

Should work fine for ubuntu too.

installing from a signed debian repository day 2

problem #1: the “d-i mirror/*” options don’t support pushing a different key. /usr/share/keyrings/archive.gpg is hardcoded into net-retriver. This can be worked around by modifying the initrd like I did here. This is as of etch / net-retriever 1.15. However, rebuilding the initrd with your keyring only works up until base-installer. I opened bug #467049.

problem #2: base-installer does an mkinitrd near the end chrooted inside /target. This is before apt-setup runs and pulls down “d-i apt-setup/local0/key” do the apt-install that runs get dependencies for mkinitrd fails.

[09:40am|otavio> btm: you can do that putting a file on /target even before base-installer. (but after partitioning)
[09:40am|otavio> btm: /target/etc/apt/apt.conf.d
[09:40am|otavio> btm: it’s ugly but works
[09:49am|otavio> btm: yes, there’s … this requires you to provide a signed repository and a key
[09:50am|otavio> btm: but in a way that it integrates
[09:50am|otavio> btm: i’ve done, long time ago, a patch to base-installer to allow it to, using preseed, install a package with base
[09:51am|otavio> btm: so it could be used for thta case where you _do have_ a package with the key

This is too much work right now. My repo is local, so I’m going to go back to running allow_unauthenticated and trust my network. This explains why all the preseed examples on the internet while warning that allow_unauthenticated is insecure, don’t have an example of the correct solution.

Note that after the reboot you need to do an ‘apt-get update’ to get the Release files and signatures for the local repository before apt-get will stop complaining about the unauthenticated-ness of the packages. Bug #467063.

signing your local debian repository

(project incomplete at this time. I can’t see straight)

Usually when I configure a local PXE install of an apt-mirror i use ‘d-i debian-installer/allow_unauthenticated string true’ so I can add my own packages to a mirror. I think in the future setting up two separate mirrors on different virtual hosts is the solution, because I always leave myself with a messy series of symlinks between the web tree and the apt-mirror tree and my own repositories. Only Adam has ever had to look at my mess, so I’ve survived without too much mockery.

On the most recent adventure I tried hacking the Release file. However recently I’ve had some consultant provided scripts that aren’t fond of the “allow unauthenticated packages?” prompts. This could be worked around with some flags (like –force-yes) but I like to try to clean things up when confronted with them, at least a little bit. There is the preseed option “#d-i apt-setup/local0/key string http://local.server/key” but that just applies to the apt-setup package that configures etc/apt/sources.list on /target. All of the installation comes off of “d-i mirror/*” and I don’t see such an option for passing a key. I assume they’re afraid of a MitM attack, as it looks like this is part of of a debian-archive-keyring package that gets pushed into the initrd when it’s made.

If you’re not familiar with udebs, they’re worth taking a look at. udebs are small debs used in the installer. Both are ar archives that contain three files. You can extract them without using any dpkg utils with ‘ar p data.tar.gz some.udeb | tar xvz’. More info is in an earlier research project with debs here.

I happen to know that some udebs are unpacked when the initrd is made and others are downloaded by the installer and then installed. Looking in the current initrd for etch i386 I found ‘archive.gpg’ in usr/share/keyrings. This is a little interesting as it looks like the latest udeb installs ‘debian-archive-keyring.gpg’ and symlinks it to ‘archive.gpg’ in the postinst (debian script, found in control.tar.gz in the ar (udeb)). There’s no such file, so I guess this particular udeb wasn’t used to create this initrd. That’s fine though, I figured it out.

You’ll need a gpg key:

gpg --gen-key
cd [wherever your Release file is]
gpg -b Release
mv Release.sig Release.gpg

By the way! There’s lots of information on the internet about mounting initrd’s using cramfs. That’s old, and it’s frustrating when I forget that. debian and ubuntu initrd images aren’t cramfs filesystems anymore, use:

mkdir initrd ; cd initrd ; gzip -cd ../initrd.gz | cpio -idmv

‘gzip -cd’ does decompress to stdout, and ‘cpio -idmv’ does “copyin” from the cpio archive, making directories, preserving timestamps and being verbose, respectively.

create a new signature file:

cd usr/share/keyrings
gpg --import < archive.gpg
gpg --export > archive.gpg

In the root of your decompressed initrd cpio tree:

find . | cpio -ovH newc | gzip -9c > ../initrd.new.gz

The -9 on gzip is super-duper compression and you’ll get a kernel panic if you try to boot off an initrd image made without ‘-H newc’.

Putting this in your netboot gets you as far as the stage where debian-installer creates the new initrd for the new box, where it fails because you’re now chrooted into /target but apt-setup hasn’t appeared to have run yet so your key listed in “d-i mirror” hasn’t been installed yet (verify with ‘chroot /target’ then ‘apt-key list’ in the shell of your installer when it fails). We could rebuild the debian-archive-keyring udeb with our key added to the keyring, but then we have to regenerate package files an release files to create all the right md5sums.

Apt-setup runs after base-installer in debian-installer, see here. It looks like base-installer runs debootstrap and passes arguments:

int
main(int argc, char *argv[])
{
char **args;
int i;

di_system_init("run-debootstrap");
debconf = debconfclient_new();
args = (char **)malloc(sizeof(char *) * (argc + 1));
args[0] = "/usr/sbin/debootstrap";
for (i = 1; i < argc; i++)
args[i] = argv[i];
args[argc] = NULL;
return exec_debootstrap(args);
}

And debootstrap has a —-keyring option. I can’t see a way to configure this though. There’s a postinst file that has this hardcoded into a variable, I think this is where the option should be. For now I’m re-enabling allow_unauthenticated, as at the very least apt-setup should install my key, and thus allow the packages I want to install to be “authenticated” after in the reboot.

Adding RT Command by mail extensions on debian

Have: Debian box running request-tracker3.6, installed via apt. Notes for LDAP and that squirrely Display.html bug.

1) Download RT-Extension-CommandByMail

2) unpack, compile, install:

tar -xvzf RT-Extension-CommandByMail-0.05.tar.gz
cd RT-Extension-CommandByMail-0.05
perl Makefile.PL
make
sudo make install

when asked for the location of RT.pm it is ‘/usr/share/request-tracker3.6/lib/’

3) add: ‘@MailPlugins = qw(Auth::MailFrom Filter::TakeAction);’ to the end of ‘/etc/request-tracker3.6/RT_SiteConfig.pm’ (before ‘1;’)

4) restart the webserver: ‘/etc/init.d/apache2 restart’

5) review the list of commands.

6) send an email and try it out (subject: ‘[$rtname #ticketnumber]’, rtname is set in RT_SiteConfig.pm) and put a command on the first line of the email

You’ll have whatever permissions your email account has. So that’s a spoofable security concern, but whatever.

The referenced account is currently locked out and may not be logged on to.

I got this error while trying to use an admin share (c$) via CIFS on office XP desktop that’s in the company domain from my XP laptop that isn’t. I built my office desktop and correctly suspected that the original admin account had the same name as my user account on the laptop. The password on this account didn’t meet domain password requirements and was locked out. Even after setting a password that did meet the requirements and unlocking the account, it kept getting re-locked out every time I tried to connect to the desktop.

At older, crazy security driven companies, I would have blamed someone setting the failed passwords required to lock out an account too low. This practice is horrible because you always have someone say “10 times is obviously a hacker!” that don’t take into account all the microsoft software that secretly caches your passwords and tries to auto log you in to stuff with your password rather than kerberos credentials.

I ended up just renaming the account on the desktop, and then the laptop got a password prompt that I could enter my domain credentials into.

weird comcast HTTP 301 redirected issues

Someone asked me help on a strange problem recently. HTTP requests to a comcast hosted website sometimes were throwing HTTP 301 redirected messages pointing back at themselves. I did a normal HTTP/1.1 GET and saw the 301, but when I went to the URL with firefox it worked fine.

Trying 216.87.188.20...
Connected to home.comcast.net.
Escape character is '^]'.
GET /~user/image.jpg HTTP/1.1
Host: home.comcast.net

HTTP/1.1 301 Moved Permanently
Date: Tue, 19 Feb 2008 19:25:07 GMT
Server: Apache
Set-Cookie: pwp_mig_status=0; Version=1; Max-Age=900; Path=/
Location: http://home.comcast.net/~user/image.jpg
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

100

Moved Permanently
The document has moved here.


Since I’m an admin and not a web developer I started up wireshark, grabbed it’s http request, then made the same request by hand and got the expected image file instead of the 301 error. I narrowed it down to having to use:

GET /~user/image.jpg HTTP/1.1
Host: home.comcast.net
Cookie: pwp_mig_status=0

I don’t know what the workaround would be. Probably not using comcast because their rat bastards anyways. I’ll note I had trouble testing by hand, probably some annoying security gear was dropping my requests, but I got the right combination eventually.

using active directory ldap authentication with testlink

Someone requested a testlink install here at work and of course I wanted LDAP authentication (single sign in is good). On debian you’ll need ‘php5 php5-mysql php5-ldap mysql-server’ installed and you will need to restart apache (not reload!) after these are installed. Mostly I’m assuming you got testlink setup and into the database already and you’re just looking for documentation on adding ldap support.

Find the config.inc.php file in the root of your testlink tree and make sure the following settings are set:

$g_login_method = ‘LDAP’;
$g_ldap_server = ‘ad.example.org’;
$g_ldap_port = ‘3268’;
$g_ldap_root_dn = ‘DC=ad,DC=example,DC=org’;
$g_ldap_organization = ”; # e.g. ‘(organizationname=*Traffic)’
$g_ldap_uid_field = ‘sAMAccountName’; # Use ‘sAMAccountName’ for Active Directory
$g_ldap_bind_dn = ‘CN=BindUser,CN=Users,DC=ad,DC=example,DC=org’; // Left empty if you LDAP server allows anonymous binding
$g_ldap_bind_passwd = ‘bindpassword’; // Left empty if you LDAP server allows anonymous binding

Note a few things. set ldap server not to a single servername by to the dns name for the domain, or UPN or whatever you call it. You may notice this points to your domain controllers, allowing ghetto-redundancy. If all of your DC’s are not GC, use “gc._msdcs.example.org” as you’ll see that I’m using port 3268 (the global catalog) rather than 389 (ldap). This is because php5-ldap or libldap2 or even testlink is getting confused when it sees those stupid LDAP referrals you get when you query your basedn is your domain instead of an OU or CN=Users and will fail. Using the GC instead just works. Since this is Active Directory, unless you’ve hacked it to allow anonymous binding you will need a binddn and bindpw, which can be a regular user or you can go find the documentation on creating this more securely if it matters to you.

LDAPMessage searchResDone(2) Unknown result(9) (Referral:
ldap://ForestDnsZones.corp.widemile.com/DC=ForestDnsZones,DC=corp,DC=widemile,DC=com
ldap://DomainDnsZones.corp.widemile.com/DC=DomainDnsZones,DC=corp,DC=widemile,DC=com

You’ll then need to create a user via the new user link on the web interface. Make sure username matches up with your sAMAccountName value, that is, your regular username.

Then go into mysql (mysql -u root -p testlink) and make yourself an admin:

update users set role_id=8 where id=2;

Assuming that you’re the first user you created (admin is id=1) (see the users table and the roles table for more information). Now go back and log into the web interface.

fixing public folder permissions in exchange 2007 sp1

Even with Exchange 2007 SP1, which adds the Public Folder Management Console to the Exchange Management Console (EMC) under toolbox, you’re still being forced to learn the Exchange Management Shell (EMS) for many things.

get-PublicFolderClientPermission -identity “\folder” | fl

Remember | fl is for “format-list” which makes the output readable. What’s neat is you’d expect the pipe to take information that you’d see if you weren’t piping the output, and put it in a different format. The damn option is even called FORMAT-list. Alas, sometimes fl gives you more information than you would have gotten otherwise, so I always use it.

add-publicfolderclientpermission -identity “\folder” -User userorgroup -accessrights owner

There’s a good list of accessrights here.

Also, apparently MS is giving their tech writers drugs now. Read this to de-stress after dealing with these shenanigans. Just remember:

Public folders do not talk. Any conversations between public folders and a real person occurred solely in the mind of the writer. And according to her, that’s the only voice she’s been hearing lately.

promiscuous mode for intel 3945ABG wireless

A Dell D620 laptop with an Intel 3945ABG card on Windows XP doesn’t work in promiscuous mode for applications that use winpcap like wireshark or ethereal out of the box using the Dell drivers. Using the Intel drivers from here despite kind words saying to use the OEM drivers works fine with wireshark. Just unarchive and run the executable and it updates the existing drivers without a reboot, although you will lose your wireless connection for a moment.

enabling root ssh on your nas

I’m liking NAS boxes more and more. I’ve been annoyed at some NAS gear at work, Infrant ReadyNAS gear, that I’ve been unable to set a permission of “force R/W for everyone”, let alone something more complicated. The web interface has under ‘advanced options’ the ability to reset the permissions but it hasn’t always worked the way I expect it to.

Netgear bought Infrant though, and installing the most recent RAIDiator firmware netgear-itizes everything. Coolest feature though? After you install the latest firmware if you install these two files as firmware: ToggleSSH and EnableRootSSH, you can ssh into the thing as root and poke around. Looks like lots of people have schemes for running databases and crap on it, which seems a little gnarly. I’m happy to be able to go in and get a look at the permissions, samba and winbind configs though.