My not so uninteresting notes

Doing GSSAPI in PERL without libauthen-sasl-cyrus-perl

mat — Sat, 26 Nov 2011 00:37:00 +0300

Hability to do GSSAPI for SASL in PERL is great it allow script connections to services (IMAP, LDAP, ...) that require a password without storing the password in clear text.

But current version of libauthen-sasl-cyrus-perl in Debian Squeeze is broken at least partially:

perl: ../../../src/util/support/threads.c :351 : krb5int_key_register:  L'assertion « destructors_set[keynum] == 0 » a échoué</code>

It seems to be the case for some others.

While waiting for the bug to be fixed, there is a solution use the non-cyrus GSSAPI module for SASL, it depends on the PERL implementation of gssapi. By chance it's debian repository so it's rather easy to get them:

sudo apt-get install libgssapi-perl libauthen-sasl-perl

And then in the perl program, insists on using the "pure" PERL of the SASL library:

use Authen::SASL qw(Perl);

Et voilà that's all !

Dissecting FRS protocol with Wireshark

mat — Sat, 29 Oct 2011 19:27:00 +0400

Not long time ago I made a couple of patches for wireshark so that we can generate the FRS dissector from Samba's IDL files.

Now that Wireshark is able to dissect properly this protocol, I've just done a screencast to show how to use Wireshark to dissect a FRS capture.

The technique used in this screencast is also usable for dissection of other protocols (ie. netlogon).

Interoperability lab 2011

mat — Mon, 17 Oct 2011 20:43:00 +0400

2 weeks ago I finished my trip in the US back from the SNIA's SDC and interoperability lab at Microsoft in Redmond. I won't talk much about SDC because my friend and long time team member, Chris Hertel, already did it, like last year it was a great moment of fun, and a pleasure to meet other team members. And as some Microsofters that participate at the AD interoperability lab are also at SDC, it's a kind of warm-up for the next week event: Active Directory interoperability lab.

This was the 4th edition of this lab between Microsoft and the Samba-Team, and my second participation. We usually achieve some terrific results during this lab because of the emulation created by face to face discussion and coding of team members and also because Microsoft provides us both a test infrastructure and real-time support with their engineers on issues that are found during the lab. In 2009 we managed to make directory replication work, opening the way to a first class citizen DC for Samba, in 2010 we worked on read-only DC, BackupKey procotol and an internal DNS server.

This year I had the objective to have a working FRS client. For those who are not too familiar with all the AD technologies, FRS stands for File Replication Protocol. It's one of the options to replicate shares and up to Windows 2008 it was the only option to replicate the sysvol and netlogon share for domain controllers. So in the Samba-Team and in the Samba community we are pretty interested to have this working therefor I decided to work on it. I was quite decided to work on this as much as I could during the lab.

It has turned out not to be the case, mostly because we had the opportunity to test Samba's Active Directory implementation against a couple of test suites, among them netlogon and drs. Although we have our own test suites in the Samba project to avoid regression and check the correct behavior of our products, testing against other test suites can shed light on bugs that we have. And guess what ? we have found some of them during this week but not too much, for sure fixing some flags not correctly set is not as sexy as shiny new features but having a really stable AD implementation is also a good feature and in any case other team members who participated to this event have worked on new features like multi-domain forest or DNS updates for our internal DNS server so we had a week a very studious week.

I'm now waiting for the next one !

More patches

mat — Fri, 08 Jul 2011 23:20:00 +0400

I just pushed most of my patches here not sure it can be always interesting for every body but still there is some quite useful patches like this one.

It allows dokuwiki to accept extensionless files.

SSO for dokuwiki

mat — Fri, 08 Jul 2011 22:49:00 +0400

I tend to prefer dokuwiki over other Wiki tools. One thing that is neat with dokuwiki is that you can use Active Directory as a backend for user storage and user rights. If you don't want to multiply the number of database where your users are and where their right are affected I think that's a must !

But one big minus is that there is no way to use any kind of SSO technics like NTLMSSP auth or Kerberos. That's too bad because I guess people get tired of having to type and retype their password everywhere (and it leads to weaker password to my mind as they know they'll have to type it 10,20 ... 100 times a day).

In order to be able to support SSO the following patch is needed and the use of mod_auth_kerberos.

The patch enable SASL bind in AdLDAP (the library used by dokuwiki for doing Active Directory lookup), as most SASL implementation know how to use Kerberos (well GSSAPI). This implementation know also how to request additional tickets (if delegation is authorized) so that additional connexion can be done without asking the user to (re)enter its password.

I also created a ticket in AdLDAP's request tracker so that hopefully this patch will become mainstream.

Wammu on mac

mat — Sat, 08 Jan 2011 00:12:00 +0300

I lately discovered Wammu, if you need to synchronize contacts between your computer and your phone (not a too fancy one like iphone or any android one's) then you might be interested with it.

This guide explain clearly how to install it so won't do it twice. Nevertheless for those who wants to use it on a mac, there is no available binary distribution or there wasn't. Lately I fixed it and it's available here. This DMG should work for OS X 10.4 and upper (at least it has been tested on Tiger and Snowleopard).

In order to get it on mac you'll need:

Wammu 1.28.95 in DMG format
Python 2.6 (in standard on Snowleopard, for others have a look at python release here)
Wxpython (on more time standard in Snowleopard, for others it's here, be sure to take a version compiled for python 2.6 ...)
A recent version of wammu, why not the version 0.35 !
A patch for making wammu more friendly
A script for starting Wammu

Install the different DMGs, then unzip the wamm-0.35.zip in your home folder and put there the patch and the script. To start just click on Wammu.sh icon.

If you did everything correctly wammu should start, if not well try more !

The trickiest part is to connect your mac and your phone, as the method used in this guide for the phone port didn't work. Instead select the serial emulation solution like pictured below (in my case I need AT over serial line which might be or might not be your case ...)

Then pair your computer with your phone, once paired, open the bluetooth preferences depending on the version of your mac it will look like this on Snowleopard:

And like this on Tiger:

Then click on the Gear symbol or on change serial ports, an approaching window should open:

Note down the name for serial port service (here it's C5212-SerialPort in my example), from the name we can derive the name of the device that you have to specify for Wammu. The device has the following name: /dev/tty.<NAME>. At least SnowLeopard is kind enough to give you the full name for Tiger you have to work it out.

Once you have the name of the device, go back to Wammu, hit the next button and fill the field with the name of the device so that it looks like this:

Correct magic mouse scrolling on Linux

mat — Sat, 16 Oct 2010 16:04:00 +0400

If you're like me you have a magic mouse and you use it under Linux you might have noticed that the scrolling is desperately slow.

A couple of modification made by guys of Ubuntu in May/June should have an impact on it.

Namely this two parameters:

scroll-speed
scroll-acceleration

By default scroll-speed has a value of 32 in a range of 0-63 which is definitely not enough, I found that 45 is ok if used with scroll-acceleration otherwise you have to use more than 50. The parameter scroll-acceleration is not very clear, my understanding is that if you make a small scroll move the scrolling will be small but if you make a a bigger one the scrolling effect will be greatly amplified (it's particularly true if you start or stop from the very top of the mouse).

To test your parameter in order to get the value that suits your need do the following:

rmmod hid_magicmouse;modprobe hid_magicmouse scroll-speed=45 scroll-acceleration=1

Try different value for scroll-speed in order to get the best value that suits your need.

Once it's ok, create a file in /etc/modprobe.d called magicmouse.conf with the following content:

options hid_magicmouse scroll-speed=45 scroll-acceleration=1

Of course change 45 for the value you estimated before.

Enjoy !

Misc notes about truecrypt

mat — Mon, 07 Dec 2009 00:54:00 +0300

Truecrypt is a very handy tool for disk encryption, but it lacks for an enterprise use the capacity to have a remote rescue mode. It's a kind of second very complicated password that you will dictate to the user when he was s****** enough to forgot his boot password.

Well the good news with free software it's that you can always do something as you have the source code. And in the case of Truecrypt it turns out that it seems not so complicated. Here are my notes for someone (maybe me) who wants to add this option.

In Boot/Windows/BootMain.cppBoot/Windows/BootMain.cpp (to support dual password that's all that is needed)

Make OpenVolume read 2 sector instead of 1
Try to read each sector to see if the entered password correspond to one of the two sector
In repair menu define the offset for the second sector holding rescue/admin encoded key

In Common/BootEncryption.cpp (so that when creating the volume a second password can be added)

Make Prepare installation create two volume header (one with the normal password and one for rescue/admin)
Make InstallVolumeHeader install the two volume header

And a few things for password but I didn't investigated much (yet).

Openvpn GUI improvments

mat — Mon, 21 Sep 2009 22:56:00 +0400

Openvpn is a great VPN tool and further more it has client for Linux, Mac OsX and Windows. The latter has also a simple GUI that allow people less familiar with computer to use a VPN.

Unfortunately I found the current version 1.0.3 too limited when dealing with a user with limited right (ie. without administrative rights) so I produced a version 1.0.4 that provide the following improvements:

allow unlimited timeout for the pre-connection script (useful when prompting a user for password)
provide a better feedback to the user on the real status of the connection when using service managed connections
allow to run post connection script per connection when using service managed connection
allow to run a post non connection script per connection when using service managed connection (that is when a connection is though to be unsuccessful)
allow service to be terminated on user logoff or on suspend

I attached to this entry the binary openvpn-gui-1.0.4.exe, the patch from 1.0.3 to 1.0.4 and also a patch to allow to crosscompile openvpn on linux using mingw32 crosscompile environment.

Making DHCP interim still work when bind9 only accept signed requests

mat — Sun, 06 Sep 2009 17:34:00 +0400

Having workstations names updated in the DNS is quite cool and very usefull (the more you use it the more it becomes important to you ...).

The problem is that once you active DDNS update directly from Windows workstations like it's describe here or here it that it usually breaks DHCP interim updates (also known as the second way to make DDNS update works).

You might wonder, why bother to use DDNS update from the workstation if we can achieve it from the DHCP server ?

Well it's simply because sometimes you have resources which IP address is not defined by DHCP server (ie. fixed IP workstations or servers or most important: workstations connected through VPN). We can also wonder why use DHCP interim if DDNS from workstation work, well it's because not all the workstation are for the moment able to update their DHCP records (ie. Mac OsX, Linux, printers, ...).

So you sometimes you want to take the best of the both world, the good news is that it's possible and it's even not very complicated !

This small guide suppose that you have already DHCP interim that was working before you decided to activate signed DDNS (that are used by the Windows workstations), if not please check on this internet for guides like this one or this one

Why DHCP Interim has to be disactivated when signed DDNS is used ?

So most of the tutorial about DHCP DDNS use a configuration like this to authorize updates from the DHCP server:

  allow-update { key dhcpupdate; };

But Bind9 do not accept both allow-update and update-policy

The solution

The solution is to migrate from allow-update to update-policy to do so you have to add something like that to the update-policy for your DNS zone: grant dhcp.example.org subdomain example.org A AAAA; so that the whole thing looks like:

   update-policy {
        grant dhcp.example.org  subdomain example.org A AAAA;
        grant EXAMPLE.ORG ms-self * A AAAA;
   };

Once that done you have to search for the definition of the dhcp update key (here dhcpupdate in my example) and replace it to dhcp.example.org (where example.org is your DNS domain). Usually tutorials propose to create a separate file for storing the key or propose to add a key stanza in the named.conf. Anyhow you have to change it to have something like this:

key dhcp.example.org {
  algorithm hmac-md5;
  secret "YOURKEYGOESHERE";
};

The last step is to modify the dhcpd.conf to replace all the occurrence of old key name to the new one (ie dhcpupdate to dhcp.example.org). Last note: if your dhcp server is on a different server than the DNS server and that the key is stored in a separate file then you need to modify the name of the key in this file as well.

Once every thing is modified you have to restart dhcpd and bind9 and everything should work (you can verify as your mileage can vary ...)

DDNS, Bind9 and MS Active Directory

mat — Sun, 06 Sep 2009 16:54:00 +0400

If you are interested to make Bind9 accept DDNS request directly from Windows workstation (XP, Vista, Seven) or server (2003, 2008, ...) the way proceed is not much different from this one. So reading the howto of Samba4 about DDNS is a good starting point.

The only difference is that by default you do not have an access to the DNS keytab. Hopefully this email give all the needed informations, you need to:

Create a user into your active directory, I suggest bind9 as the login name and also as first name and make the password not to expire (Password never expire)
Modify the /etc/bind/named.conf.option so that the entry tkey-gssapi-credential contains "DNS/bind9.example.org";
Use ktpass to extract the credentials as a keytab:

ktpass -out dns.keytab -princ DNS/bind9.example.org@EXAMPLE.ORG -pass * -mapuser bind@example.org

Of course you should adapt example.org and EXAMPLE.ORG to the name of your AD realm ...

DDNS with Windows and Samba4

mat — Thu, 03 Sep 2009 17:15:00 +0400

I recently tried Dynamic DNS updates (aka DDNS) with Windows XP (but that's valid for anything newer) and Samba4. Globaly the explaination that comes with Samba4 are good but I noted a few points that need to be tweaked (or checked at least) to be sure that it works.

Activate signed DDNS updates

Once you configured the bind server accordingly with the documentation, it will only accept signed updates. On my test systems it turns out that XP didn't send signed updates by default.

To change this you have two choices:

Use GPO
Use local policy editor, this choice is not recommended as the modification has to be done on every workstation in the domain but for testing it's just fine !

To change the DDNS parameters you have to go in Computer Configuration -> Administrative templates -> Network -> DNS Client, if the choice is not present it's mostly likely that you miss the needed adm file (system.adm) they can be found here

Then enable Dynamic Update and Update Security Level (set the latter to Only Secure or Unsecure followed by Secure) select also Register PTR Records if you want PTR record as well. If you choose the GPO way you have to wait for the workstation to update its policy (well you can help it with gpupdate /force).

Configure correctly the reverse zone

Check the SOA record of your reverse zone, the primary name server must be valid an point to your DNS server (the DNS server is the name just after SOA in the record). To check use dig on any ip address of your zone (here my range is 10.6.1.0/24 with the dns server at 10.6.1.1) :dig 1.1.6.10.in-addr.arpa. SOA @10.6.1.1

You should get something similar to this

; <<>> DiG 9.5.1-P2 <<>> 1.1.6.10.in-addr.arpa. SOA @10.6.1.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4956
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;1.1.6.10.in-addr.arpa.         IN      SOA

;; AUTHORITY SECTION:
1.6.10.in-addr.arpa.    604800  IN      SOA     test.smb4.tst. root.localhost. 2009090320 172800 14400 3628800 604800

;; Query time: 2 msec
;; SERVER: 10.6.1.1#53(10.6.1.1)
;; WHEN: Thu Sep  3 19:07:17 2009
;; MSG SIZE  rcvd: 103

Test, test and test

The easiest way to test is to use ipconfig like this ipconfig /registerdns, it will force a Windows to update its DNS records in the DNS server.

Note: This KB from Microsoft explains quite well what are the option for the DNS client in case that you had specials constraints.

Updating wireshark dissectors

mat — Sun, 16 Aug 2009 11:24:00 +0400

Last weeks I've been pretty busy on wireshark dissectors.

Apart from some small modifications in the NTLMSSP dissector, I've been working hard on DCE/RPC dissector for netlogon.

Both lastest patches for this are attached to this entry.

me @ twitter

mat — Thu, 25 Jun 2009 00:15:00 +0400

As a lot of people I just created an account on twitter ! Let see !

NTLMSSP 2

mat — Mon, 04 May 2009 21:35:00 +0400

No it's not the sequel of a film, just an updated version of /public/Download/patchs/patch_ntlm_040509 patch for wireshark. This version add the following updates

Support for DCE/RPC with direct NTLMSSP auth
Support for DCE/RPC with SPNEGO with NTLM auth mechanism

I also started to work on the verfier verification (sic) but it didn't work for DCE/RPC (I didn't get the right HMAC MD5), and I need also to find a way to update information into wireshark to reflect the fact that MD5 (and also NT challenge also in case no good password can be found).

Xerox 7232 & Samba : Veni Vidi Vici

mat — Sat, 02 May 2009 00:35:00 +0400

Well almost ! Last week I've been chasing down problem(s) that prevented this printer to work with samba, or more exactly to be served through samba print server. It's reported here, if you look at the first comment you'll find some idea for the workaround.

Basically the idea is to setup a printer locally give it the same shared name as the one on server, then export the entry into .reg file, then you define the driver for the printer on the server it will generate some error messages but you can ignore them. Then open the server registry (through a XP workstation for instance), load your exported registry entry into server registry, safely ignore error message.

Et voilà you can enjoy your shared printer on a samba server !

Patch for NTLMSPP auth mechanism

mat — Sat, 25 Apr 2009 18:00:00 +0400

I'm quite proud to produce here my first real patch for an opensource project: Wireshark.

The attached patch allow to decode LDAP traffic encoded using NTLMSSP scheme. Even if now kerberos tends to be more and more used for authentification and encryption (through GSSAPI), NTLM and NTLMSSP mechanism is still used frequently by Microsoft products (either as a fallback when kerberos is unavailable, or as the only secure choice like SPA mode in outlook).

So I think that this patch will definitly be useful to others.

The patch is attached to this entry ! (see bellow)

Creating LDAP account in Outlook

mat — Sun, 15 Mar 2009 19:19:00 +0300

I spent a few hours to improve this script to allow creation of multiple LDAP entries with login and password. The result is here: addldap.vbs. It fix some flaws of the previous scripts such as:

only one ldap account
user has a popup on next outlook startup

It works perfectly with anonymous LDAP, but setting a password do not work very well: you can pass an array representing the password obtained by a manual setup.

But It will only work with this account because the password is encoded using DPAPI which use the user personal key to encrypt the data. Trying to deploy this to other user will badly fails (as outlook will find the whole ldap account broken).

There is a way to mitigate this problem: when using SPA authentication outlook will firt use the credential of the logged user before those supplied in the account creation (if they are different). So if you want to have a non anonymous access to LDAP and what the logged user to provide his credential you just have to call the script and supply the username, an empty array as password and set doSPA parameter to 1.

I also discovered that unlike email accounts, LDAP accounts do not prompt the user when the password is wrong. Which reduce the number of prompt the user receive when a password has expired.

At the end the only two cases where this script is useless are:

accessing an LDAP with a generic account
accessing an LDAP that do not support SPA (aka NTLM authentication)

I guess those case are pretty rare (well I hope)

Putting all together

mat — Sun, 19 Oct 2008 20:07:00 +0400

I have been busy last weeks making L4SUS more friendly or at least less complicated !

I am quite happy of what I acheived so far. As the title says I put everything together to make a real install guide and some documentation.

All of this is the 0.1 release you will need the zip and the tar file because it was easier to package one for windows and the other one for Unix/Linux/....

Enjoy !

l4sus_0.10.zip and l4sus_0.10.tar.gz

Fighting with call progress tones

mat — Sat, 11 Oct 2008 17:08:00 +0400

If you are like me a happy owner of any sippura (or now linksys spa) ata device and you are not living in US, then configuring the regional part of the device can be complicated. Especially the "Call Progress Tones" part.

First you have to know that the real important part is the following tones:

Dial Tone
Second Dial Tone
Outside Dial Tone
Prompt Tone
Busy Tone
Reorder Tone
Off Hook Warning Tone
Ring Back Tone

All this tones use a rule with the following syntax:

 freq1@db_level1,freq2@db_level2,...,freqn@db_leveln;
 num_seconds(frequency_sequence1,frequency_sequence2,...,frequency_sequencen)

With frequency_sequence with this syntax: num_seconds_on/num_seconds_off/frequencies

With this explainations 480@-19,620@-19;10(.5/.5/1+2) is quite simple to understand it is a signal of two frequencies :
480Hz and 620Hz both at -19dB during 10 seconds both frequencies (due to 1+2) will be played with this rhythm: half of second (.5) on and half of second off.

This more complicated one: 985@-16,1371@-16,1777@-16;*(.380/0/1,.274/0/2,.380/0/3,0/4/0) consists of 3 frequencies:
985Hz, 1371Hz and 1777Hz all at -16dB they will played forever (until status change for instance ...) with the following rhythm: 985Hz during 0,380 seconds then 1371Hz during 0,274 seconds then 1777Hz for 0,380 and finally no tone during 4 seconds.

If you are searching for the frequency for your country indications.conf from asterisk is your friend.