synapse unsync

One problem I’ve been having recently with MS WinXP workstations connecting and authenticating to a Samba PDC is that the workstation cannot authenticate to the PDC and download the roaming profile (it uses the local cached copy of the profile instead). The problem seems to be occurring quite frequently with a new generation of “power efficient” workstations from several different brand name manufacturers although I did have experience of this with some workstations a couple of years ago.

What seems to happen is that the network does not startup before the Ctrl+Alt+Del and login dialog appears. If the workstation is left for about 5-10 minutes the problem usually goes away. Occasionally though the problem becomes so persistent that no matter how often you reboot and regardless of how long you wait the PDC remains uncontactable. The problem is intermittent and inconsistent, for some workstations it will always happen, for others it only appears sporadically.

How to get around it? I’ve found that forcing windows to start its networking synchronously during the initial workstation startup seems to fix the problem. Making this happen requires a change to registry settings so save the following with a filename of <somefile>.reg …

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon]
“SyncForegroundPolicy”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“SyncForegroundPolicy”=dword:00000001

According the docs at Microsoft’s Technet site setting this value to dword 1 causes the operating system to “Always wait for the network at computer startup and logon.” Why two different registry settings? Microsoft’s docs say that the first entry in the Policies section of the registry is all that is needed but when inspecting a workstation registry one day I found this actual attribute (with a setting of dword 0) in the second branch of the registry … “so to be sure, to be sure” I’ve added it in both locations.

No comments »

I know, you’re asking why would anyone want to do this? Well the answer is that the version I have to work with (VMWare ESX 3.0.2 Starter Edition) does not include support for cloning VMs!!!

Firstly you need to read the excellent notes posted by Mario at http://www.mariospina.com/braindump/ on cloning VMWare ESX 3.0.1 by hand. In addition to the steps that Mario lists in his notes, I found that:

1. I could not rename the *flat.vmdk as there was some binary reference to it.
2. You must recreate the ethernet connection otherwise you will have multiple VMs with duplicate mac addresses (obviously you also need to change the ip address of the VM as well).
3. I had to change the vm machine id VMId in the .vmxf file so that it was unique amongst all the VMs. I guess this could eventually come back to bite me if/when VMWare creates a VM with the same VMId!!

I should also add that these instructions seem to work OK on VMWare ESX 3.0.2.

No comments »

Postgres triggers are created in 2 stages, firstly you create the trigger function then you link the function to the trigger event. In this sample code a function that fires during before an INSERT event updates a column in the table where the data is being inserted. The function uses an internal (SQL92 compliant) string manipulation function to create the additional data that is required to complete the insert. The column has been defined as char (8), the data being manipulated is a postgres date type and must be cast to a text type. Note also that text types are indexed starting at a base of 1 (not 0 as with ‘C’ character arrays).

CREATE OR REPLACE FUNCTION set_initial_pass() RETURNS trigger AS $set_initial_pass$
DECLARE
yyyy char(4);
mm   char(2);
dd   char(2);
BEGIN
yyyy := substring(cast(NEW.dob as text) from 1 for 4);
mm   := substring(cast(NEW.dob as text) from  6 for 2);
dd   := substring(cast(NEW.dob as text) from 9 for 2);
NEW.initial_code := dd||mm||yyyy;

RETURN NEW;
END;
$set_initial_pass$
LANGUAGE 'plpgsql' VOLATILE COST 100;
ALTER FUNCTION set_initial_pass() OWNER TO script;

Now create the trigger and attach the function above.


CREATE TRIGGER set_initial_pass
BEFORE INSERT
ON person
FOR EACH ROW
EXECUTE PROCEDURE set_initial_pass();


This example was created using pgadmin III.

No comments »

To apply Sun packages manually use the pkgadd command

pkgadd -d full-path-to-package package-name

eg. pkgadd -d /cdrom/Sol10/pkg SUNWlucfg

No comments »

The Sun Update Manger usually downloads patches to ⁄var⁄sadm⁄spool as .jar files but cannot always apply the patches from the GUI. In this case you may need to open a terminal window and use:

patchadd [-n] [-B full-path-to-backout-directory -M full-path-patch-directory patch-file-name
where:
-n … do not check the patch signing
-B … backout directory. This can be omitted if you don’t ever want to back out of a patch!!
-M … path to location of patch. ⁄var⁄sadm⁄spool is the default location so can be omitted if that is where the patch file is located.

eg. patchadd -n -B ⁄var⁄sadm⁄backout -M ⁄var⁄sadm⁄spool 128307-04.jar

“man patchadd” is your friend.

No comments »

snmp - the Simple Network Management Protocol is anything but as I discovered while trying to monitor status on remote devices. The story so far …

Some background on snmpwalk

snmpwalk is a very useful tool to explore what snmp information is available from an snmp enabled device. To use snmpwalk, on a commandline enter:

snmpwalk -Os -v [1|2c|3] -c community host [ OID ]

-Os means print only last symbolic element of OID
-v is the snmp version identifier
-c is the snmp community
host is the ipaddress of the snmp agent you want to query
OID is an optional item which identifies a specific branch of the mib for the device. If given only the values under that branch will be printed.

You can use snmpwalk --help to get a full list of options for snmpwalk.
By default an snmp agent listens on UDP port 161 and traps are handled through UDP port 162. If the agent you want to query is not listening on UDP port 161 then you may need to specifiy the agent ip-address and port in the format host:port-number.

Turning snmp on in a Cisco ASA

#
# allow host #.#.#.# to poll through the ASA's outside interface for snmp
# community "public" using snmp version 2. Refers to the contents of the
# standard MIB-II which is sometimes referred to as RFC1213-MIB
snmp-server host outside #.#.#.# poll community public version 2c
#
# as far as I can see this is informational
snmp-server location MyServerRoom
#
# sets the text for mib object sysContact
snmp-server contact Me
#
# set the snmp community
snmp-server community public
#
# enables the specified snmp traps
snmp-server enable traps snmp authentication linkup linkdown coldstart


No comments »

This will add spam and av scanning to Exim4 configuration at smtp time - note it does not use Exiscan. It will also add a ***SPAM*** marker to the subject line of mails whose spam score is between our minimum spam threshold and the upper spam threshold above which spam mail will be automatically rejected. Exim will also check DNSBLs for known spam sources. This configuration has been tested with Exim 4.63. These steps also assume that your have spamassassin and clamav installed, configured and working. If your settings for these very from my examples below you will need to adjust things as required. Now on to the configuration …

In the Main configuration section of exim.conf

• add the av scanner. This assumes you have installed clamav, the path to the socket in clamd’s configuration must match the path you specify here:
  

  av_scanner = clamd:/var/run/clamd.exim/clamd.sock

• add spamd, by default spamd listens on port 783. If your spamd is using a different socket then change this as appropriate:
  

  spamd_address = 127.0.0.1 783

• add in a system filter. We will use the system filter to rewrite the subject line on mails which are identified as spam. If you put the system filter in a different location or name the file differently adjust this entry as needed:
  

  system_filter = /etc/exim/system.filter

  For our purposes a system filter can be quite simple, all it does it to rewrite the subject line of spam emails …

  if $header_X-Spam-Flag: contains "YES"
then
headers remove subject
headers add "Subject: $h_X-Spam-Subject:"
endif


In the “begin acl” section of your exim.conf file find the “acl_check_rcpt:” acl. There are several sections in this acl which are processed in order. There should be a section that looks like:

accept hosts =+relay_from_hosts
= submission


• add the DNSBL processing:
  

  deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net:cbl.abuseat.org:psbl.surriel.com

Now find the acl_check_data: acl

• near the top add the virus scanner check:
  

  deny malware = *
message = This message contains a virus ($malware_name).

• next we start our spam handling - if the email is too large just let it in, the spamassassin processing for large emails is very demanding, also typical spam emails are not large. In this case we will allow messages larger than 100000 bytes through as they are relatively unlikely to be spam
  

  accept condition = ${if >= {$message_size}{100000} {1}}
add_header = X-Spam-Note: Spamassassin run bypassed due to message size

• next we allow spamassassin to fail or time out
  

  warn spam = nobody/defer_ok
add_header = X-Spam-Flag: YES

• now add an X-Spam-Report header for messages <80k in size
  

  warn condition = ${if <{$message_size}{80k}{1}{0}}
message = X-Spam-Report: $spam_report
spam = nobody:true

• add a note if spamassassin invocation fails
  

  accept condition = ${if !def:spam_score_int {1}}
add_header = X-Spam-Note: Spamassassin invocation failed

• add the X-Spam headers if the spam score is above the minimum
  

  warn condition = ${if >{$spam_score_int}{45}{1}}
add_header = X-Spam-Subject: ***SPAM*** $h_subject
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Flag: YES
add_header = X-Spam-Report: $spam_report


• reject all mail with a spamscore above your “reject because it’s total rubbish, I never want to read it” maximum spam score
  

  deny condition = ${if >{$spam_score_int}{110} {1}}
message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
$spam_report


• the last line in this acl should be to accept any mail which has passed our anti-virus and spam testing so
  

  accept

… and that is it. The DNSBLs I use I’ve found to be reliable and have an almost 0% rejection of non-spam emails but your mileage might vary so experiment to find the ones which suit you the best (it could be worth checking out the article “Which ones work well” at www.dnsbl.com as a starting point). To check how things are running you can tail the exim log file (tail -f /var/log/exim/main.log)

No comments »

I wanted to install an anti-virus scanner to work with my smtp server (exim) and since I couldn’t find a centos repository that included clamav and didn’t want to spend hours searching I just downloaded the source and installed from scratch. To do this you will need to have a compiler and development libraries installed. The steps I followed were:

• Create the clamav user and group
  

  sudo groupadd clamav
sudo useradd -g clamav -c "clamav user" -d /var/clamav -s /sbin/nologin -m clamav

• Download the source from http://www.clamav.net into a working directory and unpack (eg. tar zxvf clamav-0.93.tar.gz) which will create a source code directory called clamav-0.93 under your working directory.
• cd into the source code directory and execute ./configure in my case I didn’t want to change any of the defaults and wanted to install clamav into /usr/local which is the default location. The output will tell you if there are any missing prerequisites such as zlib. If there are any missing prerequisites then I recommend that you install them first and then start to build and install clamav.
• Execute make which will compile the clamav source with the configuration options from above.
• Install clamav
  

  sudo make install

• Edit the clamd.conf file in /usr/local/etc and set appropriate values for the various configuration items. My clamd.conf has the following settings:
  

  LogFile /tmp/clamd.log
LogFileUnlock yes
LogFileMaxSize 2M
LogTime yes
LogClean yes
LogSyslog yes
PidFile /var/run/clamd.pid
LocalSocket /var/run/clamd.exim/clamd.sock
FixStaleSocket yes
MaxRecursion 128
MaxFileSize 15M
MaxFiles 1500

  for all other settings I accepted the defaults.

• Configure /usr/local/etc/fresclam.conf - the settings I changed in my freshclam.conf were:
  

  UpdateLogFile /var/log/freshclam.log
LogTime yes
LogSyslog yes
PidFile /var/run/freshclam.pid
DatabaseMirror database.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

  all other settings were at their default values

• Run freshclam once manually to seed the virus signatures in the database. Execute /usr/local/bin/freshclam
• For normal operations I also set freshclam to run once per hour by adding it to my crontab
  

  8 0-23 * * * /usr/local/bin/freshclam 2>&1

• Create a script to automatically start clamd on a system reboot in /etc/init.d. My /etc/init.d/clamd script is:
  

  
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: clamd
# Required-Start: $syslog $network clamd
# X-UnitedLinux-Should-Start:
# Required-Stop: $syslog $network clamd
# X-UnitedLinux-Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: anti virus scan mails
# Description: Start clamd
### END INIT INFO
#

  # Check for missing binaries (stale symlinks should not happen)
  # Note: Special treatment of stop for LSB conformance
  CLAMD_BIN=/usr/local/sbin/clamd
  CLAMD_CONFIG=/usr/local/etc/clamd.conf
  CLAMD_PID_FILE=/var/run/clamd.pid

  test -x $CLAMD_BIN || { echo "$CLAMD_BIN not installed";
  if [ "$1" = "stop" ]; then exit 0;
  else exit 5; fi; }

  # Check for existence of needed config file and read it
  test -r $CLAMD_CONFIG || { echo “$CLAMD_CONFIG not existing”;
  if [ "$1" = "stop" ]; then exit 0;
  else exit 6; fi; }

  # Shell functions sourced from /etc/rc.status:
  # rc_check check and set local and overall rc status
  # rc_status check and set local and overall rc status
  # rc_status -v be verbose in local rc status and clear it afterwards
  # rc_status -v -r ditto and clear both the local and overall rc status
  # rc_status -s display “skipped” and exit with status 3
  # rc_status -u display “unused” and exit with status 3
  # rc_failed set local and overall rc status to failed
  # rc_failed set local and overall rc status to
  # rc_reset clear both the local and overall rc status
  # rc_exit exit appropriate to overall rc status
  # rc_active checks whether a service is activated by symlinks
  # rc_splash arg sets the boot splash screen to arg (if active)
  . /etc/rc.status

  # Reset status of this service
  rc_reset

  # Return values acc. to LSB for all commands but status:
  # 0 - success
  # 1 - generic or unspecified error
  # 2 - invalid or excess argument(s)
  # 3 - unimplemented feature (e.g. “reload”)
  # 4 - user had insufficient privileges
  # 5 - program is not installed
  # 6 - program is not configured
  # 7 - program is not running
  # 8–199 - reserved (8–99 LSB, 100–149 distrib, 150–199 appl)
  #
  # Note that starting an already running service, stopping
  # or restarting a not-running service as well as the restart
  # with force-reload (in case signaling is not supported) are
  # considered a success.

  case “$1″ in
  start)
  echo -n “Starting clamd”
  $CLAMD_BIN 2>&1

  # Remember status and be verbose
  rc_status -v
  ;;
  stop)
  echo -n “Shutting down clamd”
  CLAMD_PID=`/usr/bin/head -n 1 ${CLAMD_PID_FILE}`
  kill -TERM ${CLAMD_PID}

  # Remember status and be verbose
  rc_status -v
  ;;
  restart)
  ## Stop the service and regardless of whether it was
  ## running or not, start it again.
  $0 stop
  $0 start

  # Remember status and be quiet
  rc_status -v
  ;;
  reload)
  echo -n “Reload service clamd”
  $CLAMD_PID=`head -n 1 ${CLAMD_PID_FILEi}`
  kill -HUP ${CLAMD_PID}
  rc_status -v

  ## Otherwise:
#$0 stop && $0 start
#rc_status
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
;;
esac
rc_exit


• Now make a link from the /etc/init.d/clamd script to the runlevel startup directories. Try
  

  chkconfig clamd on

  or possibly

  ln -s /etc/init.d/clamd /etc/rc3.d/S99clamd
ln -s /etc/init.d/clamd /etc/rc5.d/S99clamd

• Now start clamd
  

  /etc/init.d/clamd start

No comments »

dmapi is the data management api defined in the X/Open document “Systems Management Data Storage Management API dated Feb 1997. XFS, IBM JFS, VxFS, AdvFS and GPFS file systems support DMAPI for Hierarchical Storage Management

No comments »

• Open the /etc/yum.repos.d/CentOS-BASE.repo file in your favourite text editor.
• Find the [centosplus] section and set (Note: Ignore quotes) “enabled=1” then add the line “includepkgs=kernel* xfs” kmod* dmapi*”
• You can now list the available (eg. xfs related) packages using “yum list available *xfs*”

No comments »