Thanks to the k9mail wiki on debugging connection issues and the fact that I already had the Android SDK installed, I was able to solve the 2 related errors I was getting. I would either get an “HTTP 404 not found” or an “HTTP 501 Not Implemented” depending on the settings I chose. With no additional settings other than suggested in the Wiki, I’d get a “501 not implemented”. If I tried to set a mailbox path, or a WebDAV path, I’d get the HTTP 404 Not Found.

In the debugging log, I saw that the system was calling “http://mail.$domain.exchange.ms/”$webDAVpath/Inbox – if I set it to a full URL, the full URL was getting appended. When I attempted to hit those same paths in a full browser, I’d always get an HTTP 404. So, digging in my history in Firefox, I found the following (cleaned) path:
http://mail.$domain.exchange.ms/exchange/$emailaddress/
In this case $emailaddress was my Exchange mail address with the “@” stripped out. Appending “Inbox” to the end of this path resulted in a valid load of my OWA inbox.

Plugging then: /exchange/$emailaddress/ into the WebDAV box in K9Mail, and my email immediately loaded up.

Now I have Android syncing my calendars and contacts, and k9mail is handling my massive inbox!

A few months ago I hot-added a new disk to an ssh bastion host (a VM on ESX). As these things tend to go, I eventually took a maintenance window and updated firmware/BIOS/OS on the ESX host. When the bastion VM came back online, however, I was presented with an odd error:

[root@bastion ~]: fsck /dev/sdc1
e2fsck 1.39 (29-May-2006)
fsck.ext3: Device or resource busy while trying to open /dev/sdc1
Filesystem mounted or opened exclusively by another program?
[root@oracle1 ~]# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw,data=ordered 0 0
/dev /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
none /selinux selinuxfs rw 0 0
devpts /dev/pts devpts rw 0 0
tmpfs /dev/shm tmpfs rw 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
[root@oracle1 ~]# cat /etc/fstab
/dev/main/root / ext3 defaults 1 1
/dev/sdc1 /home ext3 defaults 1 2
/dev/main/var /var ext3 defaults 1 2
/dev/main/tmp /tmp ext3 defaults 1 2
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/main/swap swap swap defaults 0 0
# Beginning of the block added by the VMware software
.host:/ /mnt/hgfs vmhgfs defaults,ttl=5 0 0
# End of the block added by the VMware software

So everything in the fstab is how I left it – /dev/sdc1 is the new disk I added that is giving errors mounting. So I thought to check for corruption on the disk, and found the problem:

[root@oracle1 ~]# fdisk -l
Disk /dev/sda: 42.9 GB, 42949672960 bytes
255 heads, 63 sectors/track, 5221 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 5221 41833260 8e Linux LVM
Disk /dev/sdb: 42.9 GB, 42949672960 bytes
255 heads, 63 sectors/track, 5221 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 1 5221 41937651 83 Linux
Disk /dev/sdc: 32.2 GB, 32212254720 bytes
255 heads, 63 sectors/track, 3916 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdc1 * 1 3917 31457279+ 8e Linux LVM


So, a simple fix – change “/dev/sdc1″ to “/dev/sdb1″ in /etc/fstab (or to VOLUME=home), and boot back up.

It’s not something that’ll probably happen on this server again, but it is something to be aware of, on both VM guests and on physical servers. This is why so many newer Linux OSes are using UUID= or VOLUME= instead of device path for SCSI disks.

So, to turn off console (not X terminal, but tty) beeps, you can do one of the following:
1) (This is my preference)

echo blacklist snd_pcsp >> /etc/modprobe.d/blacklist.conf


2) (I’ve done this, but it doesn’t affect all software)

for i in 1 2 3 4 5 6
do
setterm -blength 0 > /dev/tty$i
done

3) (Only works per shell if ~/.inputrc is included)

echo set bell-style visible >> ~/.inputrc


Enjoy more-sane editing from ttyX in the future!

On a Samba server joined to AD with winbind, this is easy to deal with because Samba’s winbind can treat the computer accounts just like user accounts, and assign them access to the unix filesystem with whatever backend has been configured. When a Samba server is joined with Likewise, however, the machine accounts are not visible, and the “username is invalid” message comes up.

Fortunately, Samba gives us a method to handle this, in form of the “username map” directive in /etc/samba/smb.conf.  There are two ways to use this, the first is with the username map file.
In smb.conf, to simply add:
[global ]
username map = /etc/samba/smbusers
then create a file named /etc/samba/smbusers and populate it with localuser=aduser pairs, like:
COMPUTER1$ = compacct
COMPUTER2$ = compacct
CITRIXFARM1$ = citrxact
and so on. Lastly, you’ll have to add the local accounts from the pairs above:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
useradd -c "Account for AD Citrix Servers to use Samba" citrxact -G users -u 999
Then, whenever one of the AD computers in the list attempts to access the Samba share, it’ll be mapped to the local account.

The problem with this is when you have a lot of servers, like a Citrix MetaFrame farm, or a Windows Server 2008 R2 Remote Desktop Services farm, that may be changing frequently, because managing that file could get hard. In this case there is the username map script directive, which is added to smb.conf as:
[global ]
username map script = /usr/lib/samba/auth/machine-acct-map.pl
Then download this script and save it in /usr/lib/samba/auth/ and make it executable (chmod +x /usr/lib/samba/auth/machine-acct-map.pl). Then run:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
Now, all computers which access the share will be remapped to the “compacct” user, and you won’t have to manage a file for every time the server farm changes.

Get the file here.

Anyways; Workstation 6.5 has been giving me problems.  Because of the newness of KDE4, I initially thought it was a KDE problem, but it turns out it’s something between Workstation 6.5 and Ubuntu 8.10.  I just ran the “adapt –dist-upgrade-devel” command from the Ubuntu wiki to upgrade, and upon reboot, I couldn’t “ctrl-alt-ins” or “ctrl-alt-del” to log into my Windows VM, my “Windows/Start” key on the keyboard wouldn’t respond, and my arrow keys wouldn’t work.  Incredibly, when I’d hit the “down” arrow, I’d get the Windows Start menu pop up!!

Fix is easy, edit /etc/vmware/config and add the line below like:

sudo vim /etc/vmware/config
:$
A (that's vi-command for "go to the end of the file, and start writing a new line")
xkeymap.nokeycodeMap = true


Have to restart your VMs for this change to take effect. Thanks to Duncan Epping for this fix (he posted it in the forums, where I found it).

For the Unix/Linux world, there doesn’t seem to be as much available.

If you have a pure HP-UX shop, there is HP Systems Insight Manager (SIM) with plug-ins available for software deployment, and I believe IBM Tivoli has a function or sub-product which does the same thing if you have all AIX systems. Red Hat Network has a feature to allow commands to be run on your servers, but only whenever they check in with the RHN or your internal Satellite Server (much like Group Policy, except GPO doesn’t allow “in the middle of the day” script creation without GP-Preferences). So what’s available that’s like SCCM or DesktopAuthority – a “click now and do this thing” tool?

A bunch of my customers just have various levels of logging and processing that come down to being a big for loop that ssh’s into a server and runs a command:
for i in `cat server-list.txt` ; do scp scriptname $i:/root/; ssh $i "/root/scriptname" | tee logfile-$i.log; done;
While it works great for smaller commands. if you have a mixed environment, the “scriptname” script has to be intelligent enough to know what it’s running against, or your “server-list.txt” has to be broken up by class of system. In either case, if you have 200 systems in the list, and the task takes 5 minutes per server, a single install will run for 16-17 hours.

Software like Likewise Enterprise which allow Group Policy management to remote computers is great, because you can have guaranteed delivery and execution of your script or command in (by default) 30 minutes, but my problem is how to get it there in the first place?

So, administrators out there in companies with 1000, 4000, 10000+ servers (or even Desktops), what mutli-threaded or multi-process tool are you using to tackle this timing/resouce problem? Please post below!

As you may remember, back in January I was invited to speak at Directory Experts’ Conference, 2008. If you weren’t there, I spoke about integrating 30+ Linux servers with a 2000-user Active Directory forest at one of the U.S.’s biggest home improvement providers. At the time, we had used Centrify DirectControl 4.0 to accomplish this integration, and they were the ones who invited me to speak at DEC.

As part of my preparations, I reached out to Quest Software to ask about Vintella, now renamed “Authentication Services”, and to Likewise Software, who sent me software and support contacts (at my request), so that I could learn Likewise Enterprise as well as I knew Centrify DirectControl. That was a very tall order for Likewise Software to fill, as I had spent the past 6 months learning DirectControl inside out.

After 4 weeks of building demonstration machines (with both products), capturing video in case the demos crashed (which they didn’t), and building a presentation and practicing it, DEC was upon us.  I gave two presentations, one specifically for Centrify on Monday, and the primary one on Wednesday.  At the end of both presentations, we recieved a lot of great questions which Centrify’s Director of Product Development helped answer.

At the end of the conference, Likewise offered me a job. After many discussions with them, my friends and family, and my customers, I decided to take the opportunity. This is not a decision I made to slight Centrify, who’s support of me through my time as a customer was amazing, and who’s assistance through the presentation was fabulous. It’s just one of those opportunities that comes along that I couldn’t pass up.

So for the past 6 months I’ve been the Project Manager for Deployments for Likewise Software. I’ve been on the road about 80% of the time, working with customers to install our software in their environments. Many of the posts I’ve made in that time have been in response to an issue we’ve seen or avoided at a customer of Likewise. I will continue to write these, and I’ll work on doing so at my old (2007) pace of about 3-4 posts a month, since they have been (according to my stats) useful to many people, which is the point of writing this blog.

That means, no changes here compared to last year, but I will have a wider variety of topics, and I’ll likely start mentioning our software specifically. I want it to be clear it’s not advertising, but just the state of what I’m working with. Again, Centrify makes a great product, and I was very happy to have chosen it for my needs at my previous employer.  However, I’ve chosen to move forward with this open source company (Likewise Software) for the next stage of my career, and will continue to write about software and integration with a view towards open source software.

Thanks for continuing to read!

Robert Auch

• AIX: iptrace: /usr/sbin/iptrace [ -a ] [ -b ][ -e ] [ -u ] [ -PProtocol_list ] [ -iInterface ] [ -pPort_list ] [ -sHost [ -b ] ] [ -dHost ] [ -L Log_size ] [ -B ] [ -T ] [ -S snap_length] LogFile
• FreeBSD: tcpdump (I think): tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]
• HP-UX: nettl: nettl requires a daemon start, and other setup: /usr/sbin/nettl -traceon kind… -entity subsystem… [-card dev_name...] [-file tracename] [-m bytes] [-size portsize] [-tracemax maxsize] [-n num_files] [-mem init_mem [max_mem]] [-bind cpu_id] [-timer timer_value]
• Linux 2.4 and higher:
  • tcpdump (some distros): tcpdump [ -AdDefKlLnNOpqRStuUvxX ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
  • wireshark (some distros, used to be called “ethereal”): GUI-config, no command-line, use tethereal (now tshark) for that
  • tshark: tshark [ -a <capture autostop condition> ] … [ -b <capture ring buffer option>] … [ -B <capture buffer size (Win32 only)> ]  [ -c <capture packet count> ] [ -C <configuration profile> ] [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ] [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ] [ -F <file format> ] [ -h ] [ -i <capture interface>|- ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ] … [ -p ] [ -q ] [ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ] [ -S ] [ -t ad|a|r|d|e ] [ -T pdml|psml|ps|text|fields ] [ -v ] [ -V ] [ -w <outfile>|- ] [ -x ] [ -X <eXtension option>] [ -y <capture link type> ] [ -z <statistics> ] [ <capture filter> ]
• Mac OSX: tcpdump (among others): tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]
• Solaris: snoop: snoop [ -aPDSvVNC ] [ -d device ] [ -s snaplen ] [ -c maxcount ] [ -i filename ] [ -o filename ] [ -n filename ] [ -t [ r | a | d ] ] [ -p first [ , last ] ] [ -x offset [ , length ] ] [ expression ]
• Windows 2000, XP, 2003, Vista, 2008 and beyond:
  • netmon (not installed by default): GUI config, filter creation info here
  • wireshark (available by download): GUI-config, no command-line

Any others anyone wants added (or corrected), just comment or email and I’ll update this.
(Edit 7/29/08 – change tcpdump link)
(Edit 10/13/08 – add tshark info, thanks Jefferson!, and wireshark on Windows)
(Edit 12/27/09 – update IBM iptrace man page link)

“Akismet has caught 347 spam for you since you first installed it.”

That’s since 11/29/2007. Akismet has YET to miscategorize a comment as spam, and it has missed a single spam comment. All I had to do was click “this is spam” and it’s cleaned up.

The only other anti-spam product I’ve seen to perform this well is the IronPort mail system at a client. 130,000 or so attempts / day, 1 spam / day in the entire company queue, and no users complaining about spam in 5 months.

Akismet, Ironport, my hat is off to you both.

We haev this running ever 3 minutes from 3 systems: 1 Windows 2003, 1 Fedora Core 8, and 1 Kubuntu Gutsy Gibbon. Requires Net::SMTP, Config::INIFiles, LWP::UserAgent, and HTTP::Request. The only one that I’ve needed to download and install is Config::INIFiles on any of those 3 systems. But I do have LWP::Simple on all systems, so I’m not sure if you’ll need the last 2. This is my first published code other than 3 line bash scripts, so be kind in comments.

Feel free to take and use / improve / update this – I’d just appreciate if you’d let me know so I can update this version here. The parseIni() function checks that all “URL”s are in http://www.google.com format or http://64.233.167.99 format (it checks for http:// followed by text followed by what appears to be a valid TLD format, or it checks for http:// followed by an IP address). I have yet to add in the regex to look for a valid full URI, because I didn’t need that yet.

This is upgraded over responser.pl in that:

1. It will send to any number of SMTP recipients (comma-separated)
2. It will silence its alerting if *all* checked addresses are down. If the monitoring system gets unplugged from the network, it won’t attempt to send hundreds of alerts upon regaining access. Or if you’re testing from a DSL line, you won’t get alerts because the DSL line went down, but the actual target was up. The next version will have this as an option in the INI file.
3. It uses standard INI file formatting, rather than a parsed text file.
4. it runs out of the box (so to speak) on Windows (ActivePerl) or Linux (Fedora and Ubuntu both tested).
5. It has better inline documentation.

The major problem is that a minimum of 2 URLs are needed in the INI file for the full logic to work. You can get around this for small networks by adding in the DNS domain for one, and the IP address for the other.

Thanks, and please share any concerns or problems.

chk-web.pl