My not so uninteresting notes

Having workstations names updated in the DNS is quite cool and very usefull (the more you use it the more it becomes important to you ...).

The problem is that once you active DDNS update directly from Windows workstations like it's describe here or here it that it usually breaks DHCP interim updates (also known as the second way to make DDNS update works).

You might wonder, why bother to use DDNS update from the workstation if we can achieve it from the DHCP server ?

Well it's simply because sometimes you have resources which IP address is not defined by DHCP server (ie. fixed IP workstations or servers or most important: workstations connected through VPN). We can also wonder why use DHCP interim if DDNS from workstation work, well it's because not all the workstation are for the moment able to update their DHCP records (ie. Mac OsX, Linux, printers, ...).

So you sometimes you want to take the best of the both world, the good news is that it's possible and it's even not very complicated !

I recently tried Dynamic DNS updates (aka DDNS) with Windows XP (but that's valid for anything newer) and Samba4. Globaly the explaination that comes with Samba4 are good but I noted a few points that need to be tweaked (or checked at least) to be sure that it works.

Activate signed DDNS updates

Once you configured the bind server accordingly with the documentation, it will only accept signed updates. On my test systems it turns out that XP didn't send signed updates by default.

To change this you have two choices:

• Use GPO
• Use local policy editor, this choice is not recommended as the modification has to be done on every workstation in the domain but for testing it's just fine !

To change the DDNS parameters you have to go in Computer Configuration -> Administrative templates -> Network -> DNS Client, if the choice is not present it's mostly likely that you miss the needed adm file (system.adm) they can be found here

Then enable Dynamic Update and Update Security Level (set the latter to Only Secure or Unsecure followed by Secure) select also Register PTR Records if you want PTR record as well. If you choose the GPO way you have to wait for the workstation to update its policy (well you can help it with gpupdate /force).

Configure correctly the reverse zone

Check the SOA record of your reverse zone, the primary name server must be valid an point to your DNS server (the DNS server is the name just after SOA in the record). To check use dig on any ip address of your zone (here my range is 10.6.1.0/24 with the dns server at 10.6.1.1) :dig 1.1.6.10.in-addr.arpa. SOA @10.6.1.1

You should get something similar to this

; <<>> DiG 9.5.1-P2 <<>> 1.1.6.10.in-addr.arpa. SOA @10.6.1.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4956
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;1.1.6.10.in-addr.arpa.         IN      SOA

;; AUTHORITY SECTION:
1.6.10.in-addr.arpa.    604800  IN      SOA     test.smb4.tst. root.localhost. 2009090320 172800 14400 3628800 604800

;; Query time: 2 msec
;; SERVER: 10.6.1.1#53(10.6.1.1)
;; WHEN: Thu Sep  3 19:07:17 2009
;; MSG SIZE  rcvd: 103

Test, test and test

The easiest way to test is to use ipconfig like this ipconfig /registerdns, it will force a Windows to update its DNS records in the DNS server.

Note: This KB from Microsoft explains quite well what are the option for the DNS client in case that you had specials constraints.

As a lot of people I just created an account on twitter ! Let see !

Well almost ! Last week I've been chasing down problem(s) that prevented this printer to work with samba, or more exactly to be served through samba print server. It's reported here, if you look at the first comment you'll find some idea for the workaround.

Basically the idea is to setup a printer locally give it the same shared name as the one on server, then export the entry into .reg file, then you define the driver for the printer on the server it will generate some error messages but you can ignore them. Then open the server registry (through a XP workstation for instance), load your exported registry entry into server registry, safely ignore error message.

Et voilà you can enjoy your shared printer on a samba server !

I spent a few hours to improve this script to allow creation of multiple LDAP entries with login and password. The result is here: addldap.vbs. It fix some flaws of the previous scripts such as:

• only one ldap account
• user has a popup on next outlook startup

It works perfectly with anonymous LDAP, but setting a password do not work very well: you can pass an array representing the password obtained by a manual setup.

But It will only work with this account because the password is encoded using DPAPI which use the user personal key to encrypt the data. Trying to deploy this to other user will badly fails (as outlook will find the whole ldap account broken).

There is a way to mitigate this problem: when using SPA authentication outlook will firt use the credential of the logged user before those supplied in the account creation (if they are different). So if you want to have a non anonymous access to LDAP and what the logged user to provide his credential you just have to call the script and supply the username, an empty array as password and set doSPA parameter to 1.

I also discovered that unlike email accounts, LDAP accounts do not prompt the user when the password is wrong. Which reduce the number of prompt the user receive when a password has expired.

At the end the only two cases where this script is useless are:

• accessing an LDAP with a generic account
• accessing an LDAP that do not support SPA (aka NTLM authentication)

I guess those case are pretty rare (well I hope)

If you are like me a happy owner of any sippura (or now linksys spa) ata device and you are not living in US, then configuring the regional part of the device can be complicated. Especially the "Call Progress Tones" part.

First you have to know that the real important part is the following tones:

• Dial Tone
• Second Dial Tone
• Outside Dial Tone
• Prompt Tone
• Busy Tone
• Reorder Tone
• Off Hook Warning Tone
• Ring Back Tone

All this tones use a rule with the following syntax:

 freq1@db_level1,freq2@db_level2,...,freqn@db_leveln;
 num_seconds(frequency_sequence1,frequency_sequence2,...,frequency_sequencen)

With frequency_sequence with this syntax: num_seconds_on/num_seconds_off/frequencies

With this explainations 480@-19,620@-19;10(.5/.5/1+2) is quite simple to understand it is a signal of two frequencies :
480Hz and 620Hz both at -19dB during 10 seconds both frequencies (due to 1+2) will be played with this rhythm: half of second (.5) on and half of second off.

This more complicated one: 985@-16,1371@-16,1777@-16;*(.380/0/1,.274/0/2,.380/0/3,0/4/0) consists of 3 frequencies:
985Hz, 1371Hz and 1777Hz all at -16dB they will played forever (until status change for instance ...) with the following rhythm: 985Hz during 0,380 seconds then 1371Hz during 0,274 seconds then 1777Hz for 0,380 and finally no tone during 4 seconds.

If you are searching for the frequency for your country indications.conf from asterisk is your friend.

I am about to write a few articles about not so bad technics to fight efficiently spam, along the past years I developped some technics to fight spam. The latest ones seems to provide a high ratio in term of efficiency it means high quantity of spam catched and almost no false positive. I started developping this for my own personnal domain and due to my current job expand and enhance this for the company where I work for.

At the beginning it was quite simple because for my personnal use, I work with thunderbird and it includes since a long time a very good spam filter which require not so much trainning before achieving a very good filter quality and so I didn't worried much about the quality of filtering done right on the server by the SPAM filter.

But, alas, thunderbird (as many other opensource project btw) is not corporate enougth and we are stuck with outlook ... The Junk filter of the latest is rather complicated and rather unusefull. So if you want to reduce the cries of the users about SPAM you have to find a good solution on the server.

The technics that I'll present are built around spamassassin and bayesian filtering, that's not revolutionnary technologies but with a fairly good (and not complicated) and quick tuning you can acheive a very good result.

It might seems unlogical (and it is a little bit) but I'll start this serie by an article on how to train automaticaly an already running spam filter based on bayesian filtering, article about how to setup it will follow but a bit later. My reason for this is that there is tons of guides on Internet on how to setup bayes in spamassassin, whereas articles on how to train it (without the help of the standard users feedback) are rare.

Part 1: setting a spamtrap

My first public release included some bugs.

I just release right now the version 0.02, it fixes lots of typo in my first release.

The whole system is pretty stable now, but it rely on automation both on the client and the server so now it's time to move on something else:

• Create installer for windows using something like nsis so that simple configuration and scheduled tasks can be created automaticaly
• See with OCS Ng what can be done to go further in the automation
• Use offline database wsusscn2.cab to save bandwith when checking for updates (at least as an option)
• Dig more deeply in the documentation of WSUS API in order to have more informations about updates.

The lastest version is here

To be continued ...

A couple of month ago I was searching for a solution for managing windows updates (and maybe more).

Out of the box you've got two solutions :

• Standard Windows Update mechanisms
• WSUS (Windows Server Update Service)

Both were not ok for my needs in a small sized company, here are the reasons:

Standard Windows Update

When you have non IT users (which is the case of nearly every companies) you must enable automatic updates.

Main drawbacks of this methods is that you don't control which updates are installed and which are not and each computers download a copy from internet which is inefficient and a pure waste of bandwidth and could even be a big problems when the size of company grow beyond a few tens of users.

WSUS

WSUS is a good solution from Microsoft to address the problems of standard update.

You setup the service and it will manage to find available updates, then you select the one you want and they will be downloaded. On the client you just have to change the address of the update server to point to your own update server and voilà everything is working !

But It oblige you to have a Windows 2000 or 2003 server and I really hate the strategy of lock down done by Microsoft.

As both solutions didn't suits my needs, I started looking for others. I found LSUS which is available into Samba-edu as it is an opensource project, I am pretty sure that it is quite easy to extract the LSUS part but I decided not to investigate more in this way.

At this moment I decided to investigate different solution and through Windows Update API manage to have something even not complete. The script listupdates.vbs is this result. This script for the moment just output the name and the url for the different updates, but it should not be very difficult to add the missing parts.