My not so uninteresting notes

To content | To menu | To search

Friday 1 March 2013

Power button & KVM

I had a couple of VMs that wouldn't poweroff nicely when I was sending the poweroff command in virsh or using the power button in virt-manager.

I discovered today that checking that acpid is running and that a script called button (or what ever but without a .conf suffix) was sufficient to fix this issue.

event=button[ /]power
action=/sbin/shutdown -h now

Hope this will help others.

Saturday 24 November 2012

Keeping notes after rebase

I really love git notes, it allows to add notes to a git commit without changing the commit.

Now that the Samba project is experimenting quasi systematic patch review, I using the notes to track patches that I submited, when and the status of the review.

Problem is that rebase loose the notes and that's anoying so I just did this hook to keep them

#!/bin/sh

# Keep the notes 
while read old new other; do
        git notes copy $old $new 2>/dev/null
done

In order to use just save this snipet as hooks/post-rewrite in the .git folder

Wednesday 10 October 2012

IOlab 2012

It's almost at the same period of the year when it happens and at the same location (almost). It's the third time in a row for me and still I have the same pleasure to get there work hard on Samba, exchange ideas and anecdotes with other team members and unfortunately not sleep not to much.

What makes this event quite unique and productive is that we usually have a limited amount of goals that we want to achieve this week and the presence of ~8 team members surrounded by Microsoft's engineers create this emulation (well at least that's my theory !).

Here we are all in the "war room" At work

Last years during this event we :

  • added support for windows joinning a Samba 4 AD domain
  • added support for RODC
  • added partial support for multi-domain forest

Continue reading...

Saturday 26 November 2011

Doing GSSAPI in PERL without libauthen-sasl-cyrus-perl

Hability to do GSSAPI for SASL in PERL is great it allow script connections to services (IMAP, LDAP, ...) that require a password without storing the password in clear text.

But current version of libauthen-sasl-cyrus-perl in Debian Squeeze is broken at least partially:

perl: ../../../src/util/support/threads.c :351 : krb5int_key_register:  L'assertion « destructors_set[keynum] == 0 » a échoué</code>

It seems to be the case for some others.

While waiting for the bug to be fixed, there is a solution use the non-cyrus GSSAPI module for SASL, it depends on the PERL implementation of gssapi. By chance it's debian repository so it's rather easy to get them:

sudo apt-get install libgssapi-perl libauthen-sasl-perl

And then in the perl program, insists on using the "pure" PERL of the SASL library:

use Authen::SASL qw(Perl);

Et voilà that's all !

Saturday 29 October 2011

Dissecting FRS protocol with Wireshark

Not long time ago I made a couple of patches for wireshark so that we can generate the FRS dissector from Samba's IDL files.

Now that Wireshark is able to dissect properly this protocol, I've just done a screencast to show how to use Wireshark to dissect a FRS capture.

The technique used in this screencast is also usable for dissection of other protocols (ie. netlogon).

Monday 17 October 2011

Interoperability lab 2011

2 weeks ago I finished my trip in the US back from the SNIA's SDC and interoperability lab at Microsoft in Redmond. I won't talk much about SDC because my friend and long time team member, Chris Hertel, already did it, like last year it was a great moment of fun, and a pleasure to meet other team members. And as some Microsofters that participate at the AD interoperability lab are also at SDC, it's a kind of warm-up for the next week event: Active Directory interoperability lab.

This was the 4th edition of this lab between Microsoft and the Samba-Team, and my second participation. We usually achieve some terrific results during this lab because of the emulation created by face to face discussion and coding of team members and also because Microsoft provides us both a test infrastructure and real-time support with their engineers on issues that are found during the lab. In 2009 we managed to make directory replication work, opening the way to a first class citizen DC for Samba, in 2010 we worked on read-only DC, BackupKey procotol and an internal DNS server.

This year I had the objective to have a working FRS client. For those who are not too familiar with all the AD technologies, FRS stands for File Replication Protocol. It's one of the options to replicate shares and up to Windows 2008 it was the only option to replicate the sysvol and netlogon share for domain controllers. So in the Samba-Team and in the Samba community we are pretty interested to have this working therefor I decided to work on it. I was quite decided to work on this as much as I could during the lab.

It has turned out not to be the case, mostly because we had the opportunity to test Samba's Active Directory implementation against a couple of test suites, among them netlogon and drs. Although we have our own test suites in the Samba project to avoid regression and check the correct behavior of our products, testing against other test suites can shed light on bugs that we have. And guess what ? we have found some of them during this week but not too much, for sure fixing some flags not correctly set is not as sexy as shiny new features but having a really stable AD implementation is also a good feature and in any case other team members who participated to this event have worked on new features like multi-domain forest or DNS updates for our internal DNS server so we had a week a very studious week.

I'm now waiting for the next one !

Friday 8 July 2011

More patches

I just pushed most of my patches here not sure it can be always interesting for every body but still there is some quite useful patches like this one.

It allows dokuwiki to accept extensionless files.

SSO for dokuwiki

I tend to prefer dokuwiki over other Wiki tools. One thing that is neat with dokuwiki is that you can use Active Directory as a backend for user storage and user rights. If you don't want to multiply the number of database where your users are and where their right are affected I think that's a must !

But one big minus is that there is no way to use any kind of SSO technics like NTLMSSP auth or Kerberos. That's too bad because I guess people get tired of having to type and retype their password everywhere (and it leads to weaker password to my mind as they know they'll have to type it 10,20 ... 100 times a day).

In order to be able to support SSO the following patch is needed and the use of mod_auth_kerberos.

The patch enable SASL bind in AdLDAP (the library used by dokuwiki for doing Active Directory lookup), as most SASL implementation know how to use Kerberos (well GSSAPI). This implementation know also how to request additional tickets (if delegation is authorized) so that additional connexion can be done without asking the user to (re)enter its password.

I also created a ticket in AdLDAP's request tracker so that hopefully this patch will become mainstream.

Saturday 8 January 2011

Wammu on mac

I lately discovered Wammu, if you need to synchronize contacts between your computer and your phone (not a too fancy one like iphone or any android one's) then you might be interested with it.

This guide explain clearly how to install it so won't do it twice. Nevertheless for those who wants to use it on a mac, there is no available binary distribution or there wasn't. Lately I fixed it and it's available here. This DMG should work for OS X 10.4 and upper (at least it has been tested on Tiger and Snowleopard).

In order to get it on mac you'll need:

  • Wammu 1.28.95 in DMG format
  • Python 2.6 (in standard on Snowleopard, for others have a look at python release here)
  • Wxpython (on more time standard in Snowleopard, for others it's here, be sure to take a version compiled for python 2.6 ...)
  • A recent version of wammu, why not the version 0.35 !
  • A patch for making wammu more friendly
  • A script for starting Wammu

Install the different DMGs, then unzip the wamm-0.35.zip in your home folder and put there the patch and the script. To start just click on Wammu.sh icon.

If you did everything correctly wammu should start, if not well try more !

The trickiest part is to connect your mac and your phone, as the method used in this guide for the phone port didn't work. Instead select the serial emulation solution like pictured below (in my case I need AT over serial line which might be or might not be your case ...) wammu1.png

Then pair your computer with your phone, once paired, open the bluetooth preferences depending on the version of your mac it will look like this on Snowleopard: btmac1.png

And like this on Tiger: btmac1bis.png

Then click on the Gear symbol or on change serial ports, an approaching window should open:

btmac2.png

Note down the name for serial port service (here it's C5212-SerialPort in my example), from the name we can derive the name of the device that you have to specify for Wammu. The device has the following name: /dev/tty.<NAME>. At least SnowLeopard is kind enough to give you the full name for Tiger you have to work it out.

Once you have the name of the device, go back to Wammu, hit the next button and fill the field with the name of the device so that it looks like this: wammu2.png

Saturday 16 October 2010

Correct magic mouse scrolling on Linux

If you're like me you have a magic mouse and you use it under Linux you might have noticed that the scrolling is desperately slow.

A couple of modification made by guys of Ubuntu in May/June should have an impact on it.

Namely this two parameters:

  • scroll-speed
  • scroll-acceleration

By default scroll-speed has a value of 32 in a range of 0-63 which is definitely not enough, I found that 45 is ok if used with scroll-acceleration otherwise you have to use more than 50. The parameter scroll-acceleration is not very clear, my understanding is that if you make a small scroll move the scrolling will be small but if you make a a bigger one the scrolling effect will be greatly amplified (it's particularly true if you start or stop from the very top of the mouse).

To test your parameter in order to get the value that suits your need do the following:

rmmod hid_magicmouse;modprobe hid_magicmouse scroll-speed=45 scroll-acceleration=1

Try different value for scroll-speed in order to get the best value that suits your need.

Once it's ok, create a file in /etc/modprobe.d called magicmouse.conf with the following content:

options hid_magicmouse scroll-speed=45 scroll-acceleration=1

Of course change 45 for the value you estimated before.

Enjoy !

Monday 7 December 2009

Misc notes about truecrypt

Truecrypt is a very handy tool for disk encryption, but it lacks for an enterprise use the capacity to have a remote rescue mode. It's a kind of second very complicated password that you will dictate to the user when he was s****** enough to forgot his boot password.

Well the good news with free software it's that you can always do something as you have the source code. And in the case of Truecrypt it turns out that it seems not so complicated. Here are my notes for someone (maybe me) who wants to add this option.

In Boot/Windows/BootMain.cppBoot/Windows/BootMain.cpp (to support dual password that's all that is needed)

  • Make OpenVolume read 2 sector instead of 1
  • Try to read each sector to see if the entered password correspond to one of the two sector
  • In repair menu define the offset for the second sector holding rescue/admin encoded key

In Common/BootEncryption.cpp (so that when creating the volume a second password can be added)

  • Make Prepare installation create two volume header (one with the normal password and one for rescue/admin)
  • Make InstallVolumeHeader install the two volume header

And a few things for password but I didn't investigated much (yet).

Monday 21 September 2009

Openvpn GUI improvments

Openvpn is a great VPN tool and further more it has client for Linux, Mac OsX and Windows. The latter has also a simple GUI that allow people less familiar with computer to use a VPN.

Unfortunately I found the current version 1.0.3 too limited when dealing with a user with limited right (ie. without administrative rights) so I produced a version 1.0.4 that provide the following improvements:

  • allow unlimited timeout for the pre-connection script (useful when prompting a user for password)
  • provide a better feedback to the user on the real status of the connection when using service managed connections
  • allow to run post connection script per connection when using service managed connection
  • allow to run a post non connection script per connection when using service managed connection (that is when a connection is though to be unsuccessful)
  • allow service to be terminated on user logoff or on suspend

I attached to this entry the binary openvpn-gui-1.0.4.exe, the patch from 1.0.3 to 1.0.4 and also a patch to allow to crosscompile openvpn on linux using mingw32 crosscompile environment.

Sunday 6 September 2009

Making DHCP interim still work when bind9 only accept signed requests

Having workstations names updated in the DNS is quite cool and very usefull (the more you use it the more it becomes important to you ...).

The problem is that once you active DDNS update directly from Windows workstations like it's describe here or here it that it usually breaks DHCP interim updates (also known as the second way to make DDNS update works).

You might wonder, why bother to use DDNS update from the workstation if we can achieve it from the DHCP server ?

Well it's simply because sometimes you have resources which IP address is not defined by DHCP server (ie. fixed IP workstations or servers or most important: workstations connected through VPN). We can also wonder why use DHCP interim if DDNS from workstation work, well it's because not all the workstation are for the moment able to update their DHCP records (ie. Mac OsX, Linux, printers, ...).

So you sometimes you want to take the best of the both world, the good news is that it's possible and it's even not very complicated !

Continue reading...

DDNS, Bind9 and MS Active Directory

If you are interested to make Bind9 accept DDNS request directly from Windows workstation (XP, Vista, Seven) or server (2003, 2008, ...) the way proceed is not much different from this one. So reading the howto of Samba4 about DDNS is a good starting point.

The only difference is that by default you do not have an access to the DNS keytab. Hopefully this email give all the needed informations, you need to:

  1. Create a user into your active directory, I suggest bind9 as the login name and also as first name and make the password not to expire (Password never expire)
  2. Modify the /etc/bind/named.conf.option so that the entry tkey-gssapi-credential contains "DNS/bind9.example.org";
  3. Use ktpass to extract the credentials as a keytab:
ktpass -out dns.keytab -princ DNS/bind9.example.org@EXAMPLE.ORG -pass * -mapuser bind@example.org

Of course you should adapt example.org and EXAMPLE.ORG to the name of your AD realm ...

Thursday 3 September 2009

DDNS with Windows and Samba4

I recently tried Dynamic DNS updates (aka DDNS) with Windows XP (but that's valid for anything newer) and Samba4. Globaly the explaination that comes with Samba4 are good but I noted a few points that need to be tweaked (or checked at least) to be sure that it works.

Activate signed DDNS updates

Once you configured the bind server accordingly with the documentation, it will only accept signed updates. On my test systems it turns out that XP didn't send signed updates by default.

To change this you have two choices:

  • Use GPO
  • Use local policy editor, this choice is not recommended as the modification has to be done on every workstation in the domain but for testing it's just fine !

To change the DDNS parameters you have to go in Computer Configuration -> Administrative templates -> Network -> DNS Client, if the choice is not present it's mostly likely that you miss the needed adm file (system.adm) they can be found here

Then enable Dynamic Update and Update Security Level (set the latter to Only Secure or Unsecure followed by Secure) select also Register PTR Records if you want PTR record as well. If you choose the GPO way you have to wait for the workstation to update its policy (well you can help it with gpupdate /force).

Configure correctly the reverse zone

Check the SOA record of your reverse zone, the primary name server must be valid an point to your DNS server (the DNS server is the name just after SOA in the record). To check use dig on any ip address of your zone (here my range is 10.6.1.0/24 with the dns server at 10.6.1.1) :dig 1.1.6.10.in-addr.arpa. SOA @10.6.1.1

You should get something similar to this

; <<>> DiG 9.5.1-P2 <<>> 1.1.6.10.in-addr.arpa. SOA @10.6.1.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4956
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;1.1.6.10.in-addr.arpa.         IN      SOA

;; AUTHORITY SECTION:
1.6.10.in-addr.arpa.    604800  IN      SOA     test.smb4.tst. root.localhost. 2009090320 172800 14400 3628800 604800

;; Query time: 2 msec
;; SERVER: 10.6.1.1#53(10.6.1.1)
;; WHEN: Thu Sep  3 19:07:17 2009
;; MSG SIZE  rcvd: 103

Test, test and test

The easiest way to test is to use ipconfig like this ipconfig /registerdns, it will force a Windows to update its DNS records in the DNS server.

Note: This KB from Microsoft explains quite well what are the option for the DNS client in case that you had specials constraints.

Sunday 16 August 2009

Updating wireshark dissectors

Last weeks I've been pretty busy on wireshark dissectors.

Apart from some small modifications in the NTLMSSP dissector, I've been working hard on DCE/RPC dissector for netlogon.

Both lastest patches for this are attached to this entry.

Thursday 25 June 2009

me @ twitter

As a lot of people I just created an account on twitter ! Let see !

Monday 4 May 2009

NTLMSSP 2

No it's not the sequel of a film, just an updated version of /public/Download/patchs/patch_ntlm_040509 patch for wireshark. This version add the following updates

  • Support for DCE/RPC with direct NTLMSSP auth
  • Support for DCE/RPC with SPNEGO with NTLM auth mechanism

I also started to work on the verfier verification (sic) but it didn't work for DCE/RPC (I didn't get the right HMAC MD5), and I need also to find a way to update information into wireshark to reflect the fact that MD5 (and also NT challenge also in case no good password can be found).

Saturday 2 May 2009

Xerox 7232 & Samba : Veni Vidi Vici

Well almost ! Last week I've been chasing down problem(s) that prevented this printer to work with samba, or more exactly to be served through samba print server. It's reported here, if you look at the first comment you'll find some idea for the workaround.

Basically the idea is to setup a printer locally give it the same shared name as the one on server, then export the entry into .reg file, then you define the driver for the printer on the server it will generate some error messages but you can ignore them. Then open the server registry (through a XP workstation for instance), load your exported registry entry into server registry, safely ignore error message.

Et voilà you can enjoy your shared printer on a samba server !

Saturday 25 April 2009

Patch for NTLMSPP auth mechanism

I'm quite proud to produce here my first real patch for an opensource project: Wireshark.

The attached patch allow to decode LDAP traffic encoded using NTLMSSP scheme. Even if now kerberos tends to be more and more used for authentification and encryption (through GSSAPI), NTLM and NTLMSSP mechanism is still used frequently by Microsoft products (either as a fallback when kerberos is unavailable, or as the only secure choice like SPA mode in outlook).

So I think that this patch will definitly be useful to others.

The patch is attached to this entry ! (see bellow)

- page 1 of 2