Archive for June, 2009

#Nextfail & #tcs

Posted by on Friday, 26 June, 2009
Picture_6

I was just trying to buy my wife a present on Next and have
encountered what I believe is a really sneaky way of doing business.
Basically the idea is this:
 
*You visit website
*You buy presents for wife
*Get to checkout and fill in details
*Choose option for “Don’t send me the next directory and charge me delivery”
*Tick the box with the red asterisk next to it that you have read the
terms and conditions
*Proceed to payment — Oooops!!
 
There is no proceed to payment – in the background they have performed
a credit check and given you a £600 credit account which will be
charged at 26%APR should you not pay it off directly. 26%!!!!
 
I realise that I should have read the t&c’s when purchasing from a new
place online so I went back and started to setup a new accont to test
where in the procedure they tell you that this is happening. The
answer is nowhere….. The link to the terms and conditions links to
some kind of QA/QC environment called pilot.next.co.uk which requires
login(see screenshot) – changing it to www.next.co.uk enables you to
see the t&cs.
 
So I phoned up to try and cancel the order only to be told this is not
possible to do until the goods have arrived and will have to be done
over the phone. I also made clear my displeasure about the setting up
of the account and the credit check and was informed that you can pay
“cash” by reading the t&c’s – I have so far been unable to do this but
might just be me.
 
My lesson from this is always to read the t&c’s before clicking agree
but I do feel that Next are being at best sneaky and at worst tricking
people into taking out an account with the possibility of getting your
26% interest.

SQL 2000 and sending mail on failure

Posted by on Friday, 19 June, 2009

Had major probs recently when our SQL server failed to notify us of
failure until we really needed a backup. The setup with SQL 2000 for
mail is absolutely shocking and requires you to install Internet
Mail(remember that!!!) or Outlook on the server, create a MAPI profile
and then associate that MAPI profile with the sql server.
What we need to do is send mail on failure(and optionally on success).
The answer is xpsmtp – follow this guys instructions and sending mail
from SQL 2000 becomes a very easy thing.

 http://sqldev.net/xp/xpsmtp.htm

 I have setup an additional step in my jobs called fail which is called
when the job fails and sends mails to alert us lowly humans that once
again the computers have failed. Skynet will not be driven by SQL
2000….

New laptop setup

Posted by on Sunday, 14 June, 2009

Finally I think I have my new(to me) laptop setup in the way that I
want it. I have wanted to use a linux workstation for a long time to
experience it and see how it works in real life instead of just a
file/mail server etc here and there in the office. I do still love osx
as well but am looking forward to giving this a try.

 My setup is as follows on my macbook pro 3,1

 OSX installed in 1st primary partition with refit installed to give options
ubuntu installed in a second partition
A third partition which will be used to share information between the 2 os’s.

 As company standards dictate that we must have encrypted drives I have
used truecrypt to ensure this. Unfortunately truecrypt will only work
with FAT or ext2/3 and FAT doesn’t support over 4GB files so a
secondary(and unfortunately paid for) solution is required. I found
this http://www.paragon-software.com/home/extfs-mac/ which works very
well and integrates seamlessly.

 So far I have found the following to be problems with my ubuntu
install and many of them are to do with 64bit I believe.

 Skype sometimes doesn’t recognise my audio and requires a bit of love
and attention
Flash (even the new 64 bit version) requires me to run it as sudo
otherwise it will just die with a seg fault.
Network Manager – sometimes kills the wifi connection and then won’t
connect again
Adobe Air took a bit of care to install

 What works brilliantly:
Almost everything else :)

 I’m still running OSX for things like iPhoto and iTunes but will be
trying out ubuntu as my primary OS for the next month or so.

Converting files for iphone using ffmpeg on ubuntu jaunty

Posted by on Friday, 12 June, 2009

Was having real problems with converting files using ffmpeg on my new
linux machine, there were lots of errors like:

 unknown encoder
incorrect frame size

 blah blah blah

 2 hints with this:

 1/ Use the excellent mp4ize from
http://thomer.com/howtos/ipod_video.html – obv need to apt-get install
ffmpeg etc
2/ apt-get install libavcodec-unstripped-VERSIONNUMBER

 This piece of magic is almost as good for converting video for my
iphone as visualhub was on the mac.

Ubuntu, adobe air, flash and firefox

Posted by on Thursday, 11 June, 2009

This guy here: http://www.bauer-power.net/2009/05/getting-adobe-air-to-work-in-ubuntu-904.html has the right way to get adobe air working from within amd64 version of ubuntu. Tweetdeck and twhirl working great – iplayer less so but that’s on the way I hope.

Problems with powerdns

Posted by on Sunday, 7 June, 2009

We’ve been having some real problems recently with powerdns with
gmysql backend seeming to just suddenly die at random times. The
version we’re using is the current debian lenny version 2.9.21.2. The
only errors in the logs have been things like the below which then
results in the server just dying until restart.

Parsing record content: Data field in DNS should start with quote" on
TXT/SPF records

 I have tried various things but I think that the following conf file
has made it work and not die.

 
# Autogenerated configuration file template
#################################
# allow-axfr-ips If enabled, restrict zonetransfers to originate from these
# IP addresses
#
# allow-axfr-ips=
 
#################################
# allow-recursion List of netmasks that are allowed to recurse
#
allow-recursion=127.0.0.1
 
#################################
# allow-recursion-override Local data even about hosts that don't exist will
# override the internet. (on/off)
#
# allow-recursion-override=
 
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
 cache-ttl=20
 
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=/var/spool/powerdns
 
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
 
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
 
#################################
# control-console Debugging switch - don't use
#
# control-console=no
 
#################################
# daemon Operate as a daemon
#
daemon=yes
 
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
 
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
disable-axfr=yes
 
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
 
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
 distributor-threads=10
 
#################################
# fancy-records Process URL and MBOXFW records
#
 fancy-records=no
 
#################################
# guardian Run within a guardian process
#
guardian=yes
 
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gmysql
 
 
#################################
# lazy-recursion Only recurse if question cannot be answered locally
#
lazy-recursion=yes
 
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
 
#################################
# local-address Local IP address to which we bind
#
local-address=YOURIPADDRESS
 
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
 
#################################
# local-port The port on which we listen
#
local-port=53
 
#################################
# log-dns-details If PDNS should log failed update requests
#
 log-dns-details=yes
 
#################################
# log-failed-updates If PDNS should log failed update requests
#
 log-failed-updates=yes
 
#################################
# logfile Logfile to use
#
 logfile=/var/log/pdns.log
 
#################################
# logging-facility Log under a specific facility
#
 logging-facility=0
 
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
 loglevel=6
 
#################################
# master Act as a master
#
# master=no
 
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
 
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
 
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns
 
#################################
# negquery-cache-ttl Seconds to store packets in the PacketCache
#
# negquery-cache-ttl=60
 
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=no
 
#################################
# query-cache-ttl Seconds to store packets in the PacketCache
#
# query-cache-ttl=20
 
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
 
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
 
#################################
# query-local-address The IP address to use as a source address for sending
# queries.
# query-local-address=
 
#################################
# receiver-threads Number of receiver threads to launch
#
# receiver-threads=1
 
#################################
# recursive-cache-ttl Seconds to store packets in the PacketCache
#
# recursive-cache-ttl=10
 
#################################
# recursor If recursion is desired, IP address of a recursing nameserver
#
# recursor=
 
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
 
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
 
#################################
# skip-cname Do not perform CNAME indirection for each query
#
# skip-cname=no
 
#################################
# slave Act as a slave
#
# slave=no
 
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
 
#################################
# smtpredirector Our smtpredir MX host
#
# smtpredirector=a.misconfigured.powerdns.smtp.server
 
#################################
# soa-minimum-ttl Default SOA mininum ttl
#
# soa-minimum-ttl=3600
 
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
 
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
 
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
 
#################################
# soa-serial-offset Make sure that no SOA serial is less than this number
#
# soa-serial-offset=0
 
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
 
#################################
# strict-rfc-axfrs Perform strictly rfc compliant axfrs (very slow)
#
# strict-rfc-axfrs=no
 
#################################
# urlredirector Where we send hosts to that need to be url redirected
#
# urlredirector=127.0.0.1
 
#################################
# use-logfile Use a log file
#
 use-logfile=yes
 
#################################
# webserver Start a webserver for monitoring
#
 webserver=no
 
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
 
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
 
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
 
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
 
#################################
# wildcard-url Process URL and MBOXFW records
#
# wildcard-url=no
 
#################################
# wildcards Honor wildcards in the database
#
# wildcards=
 
#################################
# version-string What should PowerDNS return for version
# allowed methods are anonymouse / powerdns / full / custom
version-string=powerdns
 
include=/etc/powerdns/pdns.d

 I think the critical thing is the number of distributor threads(but
not 100% sure tbh). The other error I have seen is that the
pdns_control is unable to connect to the instance which is running and
you receive the following error:

 
servername:/home/blah#pdns_control version
servername:/home/blah#pdns_control Unable to connect to remote
'/var/run/pdns.controlsocket'

 To fix this – run the following:

 
servername:/home/blah#/etc/init.d/pdns stop
servername:/home/blah#mv /var/run/pdns.controlsocket
/var/run/pdns.controlsocket.old
servername:/home/blah#/etc/init.d/pdns start
servername:/home/blah#pdns_control version
2.9.21.2

Galway Arts Festival

Posted by on Thursday, 4 June, 2009

Looking forward to seeing Tommy Tiernan when the tickets _finally_ go on sale

Steps for getting LDAP authentication working on Debian

Posted by on Wednesday, 3 June, 2009

 

Sources:

http://www.adminspotting.net/articles/windows/linux-and-active-directory.html

http://moduli.net/sysadmin/sarge-ldap-auth-howto.html

http://twitter.com/evilchilli – a very helpful and knowledgeable guy

 

Aim:

To get all linux users authenticating from our Active Directory implementation which is running on Windows 2003R2.

 

On the Active Directory Server:

From Add/remove programs->Add/Remove Windows Componenets->Active Directory Services. Install Identity Management for UNIX and reboot

 

Create an user which we’re going to use to bind. I have called mine adlookup which sits in our Service Accounts OU.

CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com

 

It is very important that the password doesn’t have any special characters in, I had to change the domain policy to set it as apparently there can only be one password policy per domain.

In Active Directory Users/Computers either create a new group or choose an existing group for your users, right click and choose properties.

Add your users

Choose Unix Attributes and select the correct NIS domain.

 

Now select a user, right click on them and select properties

Choose Unix Attributes

Select the NIS domain, Home Directory, shell and primary group name

 

Linux Client:

apt-get install ldap-utils openssl libpam-ldap libnss-ldap nscd

edit the /etc/ldap/ldap.conf to look like this:

 

BASE    OU=OU,dc=DOMAIN,dc=com

 

URI     ldap://IPOFADBOX:389 

HOST    IPOFADBOX

run

ldapsearch -x -W -D “cn=AD Lookup,OU=Service Accounts,dc=DOMAIN,dc=com” -LLL “(sAMAccountName=adlookup)”

then enter your password and it should return the correct details, if it does then you’re brilliant :)

Now backup the existing file

mv /etc/libnss-ldap.conf /etc/libnss-ldap.old

nano -w /etc/libnss-ldap.conf

make it look like this:

host IPOFADSERVER #Important – it must be the IP and not the dns entry

ldap_version 3

binddn CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com

bindpw PASSWD #nospecialcharacters

scope sub

timelimit 30

nss_map_objectclass posixAccount User

nss_map_objectclass shadowAccount User

nss_map_attribute uid msSFU30Name

nss_map_attribute uniqueMember msSFU30PosixMember

nss_map_attribute userPassword msSFU30Password

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_objectclass posixGroup Group

pam_login_attribute msSFU30Name

pam_filter objectclass=User

pam_password ad

base OU=YOUROU,dc=DOMAIN,dc=com # make sure you limit this to only what is required as I had strange errors

rootbinddn CN=ADMINUSER,CN=Users,DC=DOMAIN,DC=com #What user should root join as to enable passwd change etc

pam_groupdn CN=WHATGROUPAREUSERSIN,CN=Users,DC=DOMAIN,DC=com #what group must users be in to enable login


The contents of libnss-ldap.conf and pam_ldap.conf are identical in my setup so just link them together to save any additional work:

mv /etc/pam_ldap.conf /etc/pam_ldap.old && ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

nano -w /etc/libnss-ldap.secret # enter in your admin password

ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret #same passwords

chmod 600 /etc/libnss-ldap.secret # make sure this is readable by only that user

Edit your /etc/nscd.conf file and change the following parameters:

I have chosen an arbitrary size of 500MB but I found that there were some crazy assertion errors coming in if I left the defaults such as this openldap-2.4.11/libraries/liblber/sockbuf.c. I think it must be to do with the size of the cache in nscd but am not sure. I also got an error about “invalid persistent database” when this was set too large.

max-db-size             passwd          524288000

        max-db-size             group           524288000

        max-db-size             services        524288000

Now you have to tell pam how to get it’s users so make your /etc/nssswitch.conf look like the below, it is very important to get the order right, compat must come first and then ldap. I found that my machine wouldn’t boot if it was trying to do the ldap first.

#passwd:         compat

#group:          compat

#shadow:         compat

passwd:         compat ldap

group:          compat ldap

shadow:         compat

 

You must now make nsswitch readable by all so:

chmod 644 /etc/nsswitch.conf

Now you can test this is working by doing:

getent passwd USER.NAME # this must be a username you have enabled up there ^

/etc/pam.d Common Files

 

Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files.

 

Edit /etc/pam.d/common-password, comment out and replace:

password required pam_unix.so nullok obscure min=4 max=8 md5

or:

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so use_authtok nullok md5

with:

# try password files first, then ldap. enforce use of very strong passwords.

password required pam_passwdqc.so min=disabled,16,12,8,6 max=256

password sufficient pam_unix.so use_authtok md5

password sufficient pam_ldap.so use_first_pass use_authtok md5

password required pam_deny.so

Read the pam_passwdqc man page for more about parameters you can give to it.

 

Edit /etc/pam.d/common-auth comment:

auth required pam_unix.so nullok_secure

replace with:

# try password file first, then ldap

auth sufficient pam_unix.so

auth sufficient pam_ldap.so use_first_pass

auth required pam_deny.so

In /etc/pam.d/common-account comment:

account required pam_unix.so

replace with:

# try password file first, then ldap

account sufficient pam_unix.so

account sufficient pam_ldap.so

account required pam_deny.so

And this line to /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


This should now be it, I haven’t quite got automatic sudo working yet or auto mount of the home dir from an nfs source but that is the next step :)

 

Troubleshooting:

Password you bind with must not have special characters

In nscd.conf you must have a decent sized cache file

Your unix attributes must be correct

check that your getent passwd is working and that your ldapsearch is working

 

Posterous | Re: New Blog

Posted by on Wednesday, 3 June, 2009

Hmmm, this does look quite useful, be warned – perl(ha!!)s of wisdom coming this way soon 😉
Sent using BlackBerry® from Orange

New Blog

Posted by on Wednesday, 3 June, 2009

Is it time for me to start blogging again?? Maybe it is – lets see how
this thing works out :)