T’Krin’s Realm

Dean Kamen showed some video of the impressive, mind-controlled prosthetic robot arm he’s invented today at D6 in Carlsbad.

Dean Kamen’s Robot Arm Grabs More Publicity | Gadget Lab from Wired.com

This is absolutely fantastic, especially for the those who have lost limbs in Iraq!

Sweet and Simple. Should be OK on CentOS 4, I’d imagine too.

The following will force SSL for ftp connections. Also, passive connections will be required as well.

1 - Add the following to your vsftpd.conf file:

pasv_address=192.168.1.1
pasv_min_port=40000
pasv_max_port=40100
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=YES
rsa_cert_file=/etc/ssl/your_cert.pem


Restart vsftpd: service vsftpd restart

2 - If you have iptables setup on your box add the following to your /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -m state --state NEW -p TCP --dport 40000:40100 -j ACCEPT

Restart Iptables: service iptables restart

That should be it.

This was actually made using Google Docs. Pretty neat!

Upgraded and surprisingly, no issues.  w00t

Sun assumes the X2100s are going to be run headless, and therefore, configures it output via the serial console. If you plugin a monitor into the video port on this nice little pizza box, you’ll end up w/ a blinking underscore. So, some safe advice… make sure you have access to a PC or laptop w/ a serial port and the appropriate cable. What makes this worse is that no where does it mention this in the supplied documentation. Doh!

I’ve not been willing, as with many of my peers, to install solutions from the big three AV vendors. Read on and come to your own conclusion.

Why popular antivirus apps do not work

It was surprisingly easy to get the Airport card working. First download and install the firmware files in a deb package format from:

http://ubuntu.cafuego.net/dists/dapper-cafuego/bcm43xx/

It puts firmware files in /lib/firmware.

Next create a little script such as:

#!/bin/bash

interface=eth0 #interface of your wireless card

#Turning off wired network…

ifconfig eth1 down

modprobe bcm43xx

#Starting up wireless network…

ifconfig $interface up

iwconfig $interface essid MY_ESSID

iwconfig $interface mode managed

iwconfig $interface key off

dhclient $interface

You can also use the Network Settings tools to manage the wireless connection. A thread at Ubunt Forums, http://www.ubuntuforums.org/showthread.php?t=142727 was a good source of information.

We get a call from a new client, which is always nice. He proceeds to describe that the company he hired to create a new website for his company hosed his web server, SBS 2003 running IIS, which is sad by itself. I’m told that the company develops on either Linux or OSX and Apache and don’t seem to know IIS at all. They end up causing all these problems and not only does the client’s web site stop working, so does the clients intranet site. Sheesh. These guys even put the directory containing the website in the desktop directory of a user account rather than C:\inetpub. Sheesh! I’m no Windows fan, but it’s sad to see people messing up things like that. While it makes my company money, which I won’t complain about, it’s sad that we will now have to smooth things over.

I came upon the need to attempt data recovery on a broken Raid5 array. Long story short, my client had a server with no backup at a data center. At the DC, an electrician was working on the breakers, to which our clients rack is connected, and took down power multiple times, probably a slew of surges too! :-@ That’s another story. I did not have any commercial tools that would reconstruct a set of RAID5 images, so off I went a Googling. What I found was an interesting solution created by Edmundo Carmona and can be found at Free Software Magazine. I’m not going to go into details here, but it worked pretty well, although we could not get any data recovered, as the drives seemed to have been totally hosed by the power issues. We eventually did try commercial tools, which yielded the same results. Anyway, some may find tool useful, but I hope you don’t have a need for this.

A quick and dirty howto for CentOS 4.

1. Make sure system is completely updated.

   yum update

2. Make sure Kerberos packages are installed.

   krb5-server krb5-workstation

3. Edit /etc/krb5.conf to work with the 2003 AD server. It should look similar to below. The line in bold are what needs to be chanaged and entries are CASE sensitive!

   

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

   [libdefaults]
   
   default_realm = ADS.LOCAL
   
   dns_lookup_realm = false
   
   dns_lookup_kdc = false

   [realms]
   
   ADS.LOCAL = {
   
   kdc = ads.local
   
   admin_server = 192.168.0.1:749
   
   default_domain = ads.local
   
   }

   [domain_realm]
   
   .ads.local = ADS.LOCAL
   
   ads.local = ADS.LOCAL

   [kdc]
   
   profile = /var/kerberos/krb5kdc/kdc.conf

   [appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}


4. Configure Samba. The basic config should look like below. Bold items are important.

   

[global]

dns proxy = no

log file = /var/log/samba/%m.log

load printers = no

netbios name = Samba

server string = Samba Server

socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

workgroup = ADS

realm = ADS.LOCAL

os level = 20

encrypt passwords = yes

security = ADS

preferred master = no

max log size = 50

disable spoolss = yes #Enabled if you will not server printers off this server

template shell = /bin/false

template homedir = /home/%D/%U

idmap uid = 10000-20000

idmap gid = 10000-20000

enhanced browsing = no

winbind use default domain = yes


   Run testparm to make sure you do not have any typos or errors.

5. Edit /etc/nsswitch.conf so that the system will use winbind for authentication.

   
passwd: files winbind
group: files winbind

6. Start Samba and join it to the domain.

   service smb restart

   net ads join -U Administrator@ADS.LOCAL

7. Start Winbind and restart Samba

   service smb restart

   service winbind start

8. Run wbinfo -u to see if user accounts on the 2003 Server are seen.
9. To see some info about the connected domain issue net ads info
10. Edit /etc/fstab and add the option acl to the file system that will hold any directories shared by Samba. For example:

    /dev/md2 / ext3 defaults,acl 1 1

11. Reboot the server or issue a remount command similar to mount -n -o remount,defaults,acl /
12. Make sure Samba and Winbind are set to start at system boot.

    chkconfig smb on

    chkconfig winbind on

13. Let’s setup an example share for use by Administrator. smb.conf should contain something like:
    

[Backups]

comment = Backups

wide links = no

writeable = yes

create mode = 644

path = /home/BACKUPS
14. Let’s set permissions on /home/BACKUPS so that administrator has rwx permissions.

    setfacl -m u:"ADS\\Administrator":rwx /home/BACKUPS

15. Check the permissions. getfacl /home/BACKUPS You should see something like the following:

    getfacl /home/BACKUPS

getfacl: Removing leading ‘/’ from absolute path names

# file: home/BACKUPS

# owner: foo

# group: foo

user::rwx

user:administrator:rwx

group::rwx

mask::rwx

other::rwx

16. In the event of DNS failure, you may want to edit /etc/hosts and add a line for the 2003 Server so the samba server always knows the IP of the 2003 server.
17. Because these two servers depend highly on time synchronization, ntpd must be setup to sync to the AD server. Do this by editing /etc/ntp.conf and /etc/ntp/step-tickers. Examples of which are as follows:

    Enter your AD server’s FQDN after the first server entry in ntp.conf
    
    ### Begin /etc/ntp.conf ###

restrict default nomodify notrap noquery

    restrict 127.0.0.1

    server 2003server.ads.local
    
    server 1.pool.ntp.org
    
    server 2.pool.ntp.org

    server 127.127.1.0 # local clock
    
    fudge 127.127.1.0 stratum 10

    driftfile /var/lib/ntp/drift
    
    broadcastdelay 0.008

    keys /etc/ntp/keys

### END /etc/ntp.conf
    
    —
    
    List the three servers in /etc/ntp/step-tickers that are in /etc/ntp.conf.
    
    ### BEGIN /etc/ntp/step-tickers
    
    2003server.ads.local
    
    1.pool.ntp.org
    
    2.pool.ntp.org

    This will enable the Samba server to sync it’s time to the the AD server.

Merry Christmas to all. I hope everyone has a happy and safe holiday.

WoooHooo

As much as I don’t like waking up early, there’s something amazingly cool about waking up to hear your child singing songs rather than yelling or screaming “mommy” or “daddy”. It’s one of those joys you’ll never understand until you have a child of your own.

Talk about crazy Mondays. Issues and phone calls galore. I’m glad Jack is back and Paradox has his car back from the shop. Whew!

I maintain four different windows/samba domains at a university and two different hospitals. The domain member machines are spread across multiple subnets at all three locations and have dynamic addressing. I wanted to periodically scan my machines for open ports to see if anything funny was happening. To do this I needed the IPs of the systems that were connected at any given time. Using smbclient and nmblookup together could give me this information. findsmb would not work because it is limited to your current subnet. Therfore, I wrote a script to gather the IPs of domain members, so that I can scan them w/ nmap or just list them. I must thank rcsu in #samba at Freenode for his help to tweak the code. Thanks rcsu!

smbiplookup.pl

Never fear… Don’t re-install Windows. Boot from a floppy or CD and use the Offline NT Password and Registry Editor which can be found at http://home.eunet.no/~pnordahl/ntpasswd/.

After you boot it’s pretty simple to reset the Administrator password.

1. Select the partition that contains your Windows install.

2. Specify the path to the registry files, e.g. WINNT/system32/config/

3. Select 1 to load SAM, SECURITY and SYSTEM files

4. Select 1 to edit user data and passwords.

5. Specify the user you wish to alter. Administrator is the default, but you can specify any user you wish.

Automatic indexing with Apache.

A good write up and discusses customizing the view.

A decent article at Help Net Security on safe passwords.

The following is a mini-Howto on installing and setting up the mailman, http://www.list.org mailing list server.

It’s benefits include a web based interface to list member accounts and to archives either for the public or private for list members only.

A - INSTALLATION

1 - Download the source located at one of the available locations found at http://www.list.org/download.html and save to your favorite dumping ground and unpack.

2 - Create a user and group w/ the name mailman.

3 - If you are sticking w/ defaults, create the directory /usr/local/mailman and give it the appropriate permissions.

# mkdir /usr/local/mailman
# chown mailman.mailman
# chmod 2775 /usr/local/mailman

4 - Change to the mailman source directory and check out the configure script help info, ./configure --help and also the README.* files that apply to you. In my case, I ran to the following:

$ ./configure --with-mail-gid=nogroup --with-cgi-gid=apache --with-mailhost=host.domain.local --with-urlhost=host.domain.local

This tells mailman what group the mail application is run as, what group the cgi scripts are run as, the hostname added to mailing list names and the hostname part of the URL for the mailman web based tools.

5 - Assuming configure has completed successfully, proceed with compiling the source.

# make && make install

B - CONFIGURATION

1 - Configure Apache to allow mailman’s web based interface to work.

Your Apache config must be edited to allow web based access. To allow this, the following should be added to the appropriate Apache config file:

ScriptAlias /mailman /usr/local/mailman/cgi-bin/
  <directory /usr/local/mailman/cgi-bin>>
    Order Deny,Allow
    Allow from all
    Options ExecCGI +FollowSymLinks
  </directory>

Alias /pipermail/ /usr/local/mailman/archives/private/
  <directory /usr/local/mailman/archives>
    Options +FollowSymLinks
    Order Deny,Allow
    Allow from all
  </directory>

After this has been done, restart your Apache daemon, e.g. # service httpd restart

2 - Setup the cron file for mailman to perform scheduled tasks, such as
- Managing archives
- retrying failed messages
- mail password reminders to list members

This can be done by issuing the two following commands,

# cd /var/mailman/cron
# crontab -u mailman crontab.in

3 - Edit the default files, mm_cfg.py and Defaults.py

# cd /usr/local/mailman/Mailman
# vi mm_cfg.py

Add the following lines:

DEFAULT_HOST_NAME = ‘host.domain.local’
DEFAULT_URL = ‘https://host.domain.local/mailman/’

Also, if you wish your lists not to be advertised, i.e. shown on the listinfo page, add the following:

DEFAULT_LIST_ADVERTISED = No

Defaults.py

# cd /usr/local/mailman/Mailman
# vi Defaults.py

IMAGE_LOGOS = 0
DEFAULT_EMAIL_HOST = ‘host.domain.local’
DEFAULT_URL_HOST = host.domain.local”
DEFAULT_MAX_MESSAGE_SIZE = 500 # KB
DEFAULT_GENERIC_NONMEMBER_ACTION = 3 #3 = Discard
DEFAULT_SUBSCRIBE_POLICY = 2 # 2 = admin approval to subscribe

4 - Create the default mailmain mailing list.

# cd /usr/local/mailman
# bin/newlist mailman
               Enter the email address of the person running the list:
               Initial test password:

5 - Configure your SMTP server, in this case it’s Postfix by adding the following lines to your aliases file.

mailman:              "|/usr/local/mailman/mail/mailman post mailman"
mailman-admin:        "|/usr/local/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/usr/local/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/usr/local/mailman/mail/mailman confirm mailman"
mailman-join:         "|/usr/local/mailman/mail/mailman join mailman"
mailman-leave:        "|/usr/local/mailman/mail/mailman leave mailman"
mailman-owner:        "|/usr/local/mailman/mail/mailman owner mailman"
mailman-request:      "|/usr/local/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/usr/local/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/usr/local/mailman/mail/mailman unsubscribe mailman"

Then run the following to have Postfix see the changes.

 # cd /etc/postfix
 # postalias aliases
 # postfix stop
 # postfix start

C - USING MAILMAN

1 - Point your browser of choice to http://host.local.domain/mailman/admin/mailman/ to see the administrative pages for your new list. From here you can make many configuration changes, which is outside the scope of this mini-howto.

2 - Point your mailing list members to http://host.local.domain/mailman/listinfo/mailman for them to see their available options.

3 - You can check various logs at /usr/local/mailman/logs. If you have any problems, some valuable info may be found here.

4 - More specific documentation can be found at http://www.list.org/docs.html.

Well, this is somewhat terse and is also a first draft, so an error or two may exist, but hopefully it may help someone.

Enjoy….

Well… Took the exam on Friday and…

I passed!!! Just have to wait for the official paper in snail mail. Awe yeah!

with a slight twist. In preperation for CTCon5 WTF, I decided to setup a windows install on my Linux only laptop.

I installed windows to a spare drive in a spare laptop. I then transfered that the drive to a modular bay caddy and put it in my laptop. The typical dual boot setup is to have the Windows install be on /dev/hda or /dev/sda, but in my case it will be /dev/hdc.

I use LILO, version 22.5.9, as my boot loader. I have used GRUB but LILO has always worked so I stick with it. To get this particular setup working, the system needs to be ‘faked out’ to think that /dev/hdc is the primary boot device, /dev/hda. This can be done using the boot-as option in /etc/lilo.conf. This results in a section for the Windows installs as follows:



other = /dev/hdc1

table = /dev/hdc

label = windows

boot-as=0×80


In my case the LILO boot loader is installed on /dev/hda, which is typical, therefore, the boot-as option must specify the BIOS device code for that hard drive, in my case 0×80.

With that entry in /etc/lilo.conf you run the /sbin/lilo command to commit the changes. From now on you can now boot the Windows install that is on the removeable hard drive. Bada bing, bada bang.