Thursday, April 30, 2009

HOWTO configure ntp on a windows 2003 server

Wow, this is really sucky. I can't believe this is the blessed procedure. I have reproduced it here:

Open Registry Editor (regedit.exe) and configure the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

Now stop and restart the Windows Time service using the following commands:

net stop w32time

net start w32time

You should see some entries in the system event log stating that the box is receiving time from the server.

Nagios check_proc fooled by 15 character limit in /proc/pid/status

Interesting problem with the nagios check_proc command. It does not take into account that the status variable in /proc/pid is limited to 15 characters. Names of processes longer than this are truncated.

Wednesday, April 29, 2009

Using python ldap to authenticate a django app to a windows domain controller

I used a HOWTO and the auth backend from django ticket 2507 to get django working with a linux openldap. The next task was to get it working with windows. This will probably depend on your AD structure more than anything else. I used the following in settings.py:

import ldap
AUTHENTICATION_BACKENDS = (
'myapp.ldapauth.LDAPBackend',
)
LDAP_DEBUG=True
LDAP_SERVER_URI='ldap://mydomain.com'
LDAP_SEARCHDN='ou=Staff,dc=mydomain,dc=com'
LDAP_SEARCH_FILTER = 'sAMAccountName=%s'
LDAP_PREBINDDN = 'bindacct@mydomain.com'
LDAP_PREBINDPW = 'pass'
LDAP_BIND_ATTRIBUTE = 'cn'
LDAP_FIRST_NAME = 'givenName'
LDAP_LAST_NAME = 'sn'

I used ipython to debug my ldap setup:

ipython
import ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
l = ldap.initialize('ldap://server:port')
l.simple_bind_s('domainuser@mydomain.com','pass')
l.search_s('ou=people,dc=mydomain,dc=com',ldap.SCOPE_SUBTREE,'sAMAccountName=domainuser')

The next step is to follow the Microsoft instructions for enabling SSL so the creds don't travel in cleartext.

Saturday, April 25, 2009

Upgrading ubuntu

When upgrading ubuntu I usually just change my sources.list and do a dist-upgrade. There is now a utility that essentially does this for you: 'do-release-upgrade'. It replaces all occurrences of the old distro eg. 'intrepid' with the new distro 'jaunty' in your sources.list, downloads packages and tells you to reboot. Nice!

You can also upgrade with the GUI 'update manager', but I found it wasn't very good at reporting progress so I wasn't sure what was actually happening.

Wednesday, April 22, 2009

Backup and restore openldap 2.4

Backup

/etc/init.d/slapd stop
sudo slapcat -n 0 > backup/config.ldif
sudo slapcat -n 1 > backup/users.ldif
sudo cp /etc/ldap.secret backup/ldap.secret
/etc/init.d/slapd start

Restore

/etc/init.d/slapd stop
sudo slapadd -n 0 -l backup/config.ldif
sudo slapadd -n 0 -l backup/users.ldif
sudo cp backup/ldap.secret /etc/ldap.secret
/etc/init.d/slapd start

Tuesday, April 21, 2009

Openldap 2.4 and TLS

The HOWTOs I used were:

The most annoying thing about openldap is that pretty much every bit of advice and howto on the Internet is for the old version that uses slapd.conf. In the new version (2.4) everything is stored in the LDAP database in ldif itself. So where is the advice about how to add the TLS config directives? Nowhere! Not only that, but ldapadd and ldapmodify are really difficult to use, with poor error messages if you screw up your ldif syntax.

You need to write a file tls_ldap.ldif:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem

Then run:

sudo ldapmodify -f tls_config.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret

This assumes that the admin password is stored in /etc/ldap.secret - this is how the debian package installs ldap. Most advice on the internet tells you to look in slapd.conf for rootpw - retarded. Interestingly, after I disabled regular ldap in favour of ldaps below, I couldn't use ldapmodify anymore, even when I specified ldaps:// with the -H parameter. Had to re-enable regular ldap, run the command then turn it off again.

Add the following line to /etc/default/slapd (if you only want SSL then just use ldaps):

SLAPD_SERVICES="ldap:/// ldaps:///"


Restart slapd.

On the client you need to copy over the cacert, and add these lines to /etc/ldap.conf:

uri ldaps://myserver.fqdn.com/
tls_cacertfile /etc/ssl/ldapcacert.pem
tls_checkpeer no


I had to turn off tls_checkpeer, even though this shouldn't be necessary. The server wasn't giving any error logs, until I ran it manually in super debug mode:

sudo slapd -d -1 -g openldap -u openldap -h ldaps:/// -F /etc/ldap/slapd.d/

When it gave "unable to get TLS client DN". I figured out what the problem was: I was just using "myserver" in the URI, instead of the FQDN in the certificate. So make sure you put the same domain in your ldaps uri as appears in your certificate (should be fully qualified like "myserver.fqdn.com").

Friday, April 17, 2009

Python distutils installer and user_options

I found the standard doco for distutils to be pretty appalling. It is really only useful for simple cases. The API Reference is slightly more useful, but still not great. I couldn't find a good explanation of how user_options worked to pass extra stuff into the setup script.

Here a few things I found out after a lot of mucking around:

  • Tuples that go into the user_options array should look like:
    ('mysql-root-passwd=', "p", 'MySQL root password for local server [default: None]')
    The '=' on the first element tells distutils this options should have a value (i.e. it is not a boolean option)
  • Options get stored as object variables in your class so the one above turns up as self.mysql_root_passwd - note the substitution for '-'.
  • To subclass the install command inherit from
    from distutils.command.install import install
    and set
    'cmdclass': {'install': WhitetrashInstallData}
    in your call to setup.
  • If the doco sucks, take a look at the code:
    /usr/lib/python2.5/distutils/command/install_data.py
    helped me.

Monday, April 13, 2009

Installing zenoss-core on Ubuntu Intrepid

Zenoss only has instructions for older versions of ubuntu. I had to install the following packages to get it to compile on intrepid:

sudo apt-get install \
libpango1.0-dev \
libcairo2-dev \
libxml-2 \
python-cairo-dev \
gettext \
mysql-dev \
python-setuptools bzip2 \
mysql-server mysql-client python-dev build-essential subversion snmpd autoconf snmp


Which got me to this error:

/usr/include/asm-generic/fcntl.h:117: error: redefinition of ‘struct flock’
/usr/include/asm-generic/fcntl.h:140: error: redefinition of ‘struct flock64’

but thankfully someone has a patch already:

--- Samba/source/ntvfs/sysdep/inotify.c.~1~ 2008-07-30 15:44:55.000000000 -0400
+++ Samba/source/ntvfs/sysdep/inotify.c 2008-11-11 15:56:44.000000000 -0500
@@ -29,10 +29,10 @@
#include "lib/util/dlinklist.h"
#include "libcli/raw/smb.h"

-#include
-#include
+#include

-#ifndef HAVE_INOTIFY_INIT
+#if 0
+#include
/*
glibc doesn't define these functions yet (as of March 2006)
*/

apply with:

$ cd inst/build/wmi-*/
$ patch -p0 < patchfile

Wednesday, April 8, 2009

Configuring ssh on a cisco switch or router

To get ssh working on cisco gear, you first need an image which actually supports it. Seriously? This is retarded. Upgrading is fairly easy via the web interface once you have navigated the cisco downloads maze. They have a HOWTO enable ssh, that boils down to:

aaa new-model
username someuser password 0 thisisabadpword
service password-encryption
line vty 0 4
transport input telnet

Test with telnet and the username/password you used above then:

ip domain-name mydomain.com
cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

Disable everything except ssh:

line vty 0 4
transport input ssh

If there is another vty line, then do the same for that one.

Bridging a bonded network interface on ubuntu to a cisco switch using LACP 802.3ad

There are a lot of out of date howto's for doing bridging on linux. I found a good one - it is really easy (this is works on Ubuntu intrepid):

apt-get install ifenslave

Then change your /etc/network/interfaces - this setup bonds the two interfaces together so both are used to maximise throughput:

auto bond0
iface bond0 inet dhcp
slaves all
bond-mode 4
bond-miimon 100

It is also possible to bridge a bonded interface, with a interfaces file like this (you'll also need bridge-utils):

auto bond0
iface bond0 inet manual
slaves eth1 eth0
bond-mode 4
bond-miimon 100

auto br0
iface br0 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
bridge_ports bond0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
dns-nameservers 192.168.0.1
dns-search my.lan

You switch needs to support 802.3ad, which apparently most modern ones do. I have it working with cisco following their howto, which boils down to:

Router> enable
Router# configure terminal
Router(config)# interface port-channel 1
Router(config-if)# interface g1/0/24
Router(config-if)# channel-group 1 mode active
Router(config-if)# exit
Router(config)# interface g1/0/23
Router(config-if)# channel-group 1 mode active
Router(config-if)# end
Router# copy run start


This should give you lines like this (show run):

interface GigabitEthernet1/0/23
channel-group 1 mode active
!
interface GigabitEthernet1/0/24
channel-group 1 mode active
!

Thursday, April 2, 2009

Vmware server console 1.0.4 broken on 64bit intrepid

I was getting the following errors on intrepid amd64 when trying to install vmware server console 1.0.4:

/usr/lib/vmware-server-console/lib/wrapper-gtk24.sh: 316: /usr/lib/vmware-server-console/bin/vmware-server-console: not found
/usr/lib/vmware-server-console/lib/wrapper-gtk24.sh: 370: /usr/lib/vmware-server-console/bin/vmware-server-console: not found

The fix was to install the ia32-libs package.