Open Source Software

Archived Posts from this Category

2009-03-05

Samba on Likewise Open – errors with machine accounts

Posted by Robert Auch under HowTo, Open Source Software, Windows
[2] Comments 

We’ve had a few customers and Open users posting about problems with machine accounts trying to access Samba shares and getting denied with:
smbd/sesssetup.c:reply_spnego_kerberos(439) Username DOM\COMPUTER1$ is invalid on this system
The “$” at the end of the account name means it’s a computer account, not a user. We’re seeing this for Citrix MetaFrame application servers on shared storage, startup scripts not stored on a DC, and several other cases.

On a Samba server joined to AD with winbind, this is easy to deal with because Samba’s winbind can treat the computer accounts just like user accounts, and assign them access to the unix filesystem with whatever backend has been configured. When a Samba server is joined with Likewise, however, the machine accounts are not visible, and the “username is invalid” message comes up.

Fortunately, Samba gives us a method to handle this, in form of the “username map” directive in /etc/samba/smb.conf.  There are two ways to use this, the first is with the username map file.
In smb.conf, to simply add:
[global ]
username map = /etc/samba/smbusers
then create a file named /etc/samba/smbusers and populate it with localuser=aduser pairs, like:
COMPUTER1$ = compacct
COMPUTER2$ = compacct
CITRIXFARM1$ = citrxact
and so on. Lastly, you’ll have to add the local accounts from the pairs above:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
useradd -c "Account for AD Citrix Servers to use Samba" citrxact -G users -u 999
Then, whenever one of the AD computers in the list attempts to access the Samba share, it’ll be mapped to the local account.

The problem with this is when you have a lot of servers, like a Citrix MetaFrame farm, or a Windows Server 2008 R2 Remote Desktop Services farm, that may be changing frequently, because managing that file could get hard. In this case there is the username map script directive, which is added to smb.conf as:
[global ]
username map script = /usr/lib/samba/auth/machine-acct-map.pl
Then download this script and save it in /usr/lib/samba/auth/ and make it executable (chmod +x /usr/lib/samba/auth/machine-acct-map.pl). Then run:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
Now, all computers which access the share will be remapped to the “compacct” user, and you won’t have to manage a file for every time the server farm changes.

Get the file here.

 

2009-01-02

VMWare Workstation and Ubuntu 8.10

Posted by Robert Auch under Linux, VMWare
Leave a Comment 

I just finished my upgrade from Kubuntu 8.04 to 8.10 this past week (since I had downtime from work, I could afford to break things for a few days).  The upgrade went great, and I’ll write about it shortly, once I get used to the newness.

Anyways; Workstation 6.5 has been giving me problems.  Because of the newness of KDE4, I initially thought it was a KDE problem, but it turns out it’s something between Workstation 6.5 and Ubuntu 8.10.  I just ran the “adapt –dist-upgrade-devel” command from the Ubuntu wiki to upgrade, and upon reboot, I couldn’t “ctrl-alt-ins” or “ctrl-alt-del” to log into my Windows VM, my “Windows/Start” key on the keyboard wouldn’t respond, and my arrow keys wouldn’t work.  Incredibly, when I’d hit the “down” arrow, I’d get the Windows Start menu pop up!!

Fix is easy, edit /etc/vmware/config and add the line below like:

sudo vim /etc/vmware/config
:$
A (that's vi-command for "go to the end of the file, and start writing a new line")
xkeymap.nokeycodeMap = true

Have to restart your VMs for this change to take effect. Thanks to Duncan Epping for this fix (he posted it in the forums, where I found it).

 

2008-11-14

Status update for Rob – past 7 months

Posted by Robert Auch under Open Source Software, Personal
1 Comment 

So, any regular readers might have noticed that the posts have been slow coming the past few months.  Hopefully you don’t think that the depth in those few posts has been lacking.  I’ve been struggling with how to report that I took a new full-time job in April.  Obviously, it’s not stopping me from writing, but has slowed me down a bit.

As you may remember, back in January I was invited to speak at Directory Experts’ Conference, 2008. If you weren’t there, I spoke about integrating 30+ Linux servers with a 2000-user Active Directory forest at one of the U.S.’s biggest home improvement providers. At the time, we had used Centrify DirectControl 4.0 to accomplish this integration, and they were the ones who invited me to speak at DEC.

As part of my preparations, I reached out to Quest Software to ask about Vintella, now renamed “Authentication Services”, and to Likewise Software, who sent me software and support contacts (at my request), so that I could learn Likewise Enterprise as well as I knew Centrify DirectControl. That was a very tall order for Likewise Software to fill, as I had spent the past 6 months learning DirectControl inside out.

After 4 weeks of building demonstration machines (with both products), capturing video in case the demos crashed (which they didn’t), and building a presentation and practicing it, DEC was upon us.  I gave two presentations, one specifically for Centrify on Monday, and the primary one on Wednesday.  At the end of both presentations, we recieved a lot of great questions which Centrify’s Director of Product Development helped answer.

At the end of the conference, Likewise offered me a job. After many discussions with them, my friends and family, and my customers, I decided to take the opportunity. This is not a decision I made to slight Centrify, who’s support of me through my time as a customer was amazing, and who’s assistance through the presentation was fabulous. It’s just one of those opportunities that comes along that I couldn’t pass up.

So for the past 6 months I’ve been the Project Manager for Deployments for Likewise Software. I’ve been on the road about 80% of the time, working with customers to install our software in their environments. Many of the posts I’ve made in that time have been in response to an issue we’ve seen or avoided at a customer of Likewise. I will continue to write these, and I’ll work on doing so at my old (2007) pace of about 3-4 posts a month, since they have been (according to my stats) useful to many people, which is the point of writing this blog.

That means, no changes here compared to last year, but I will have a wider variety of topics, and I’ll likely start mentioning our software specifically. I want it to be clear it’s not advertising, but just the state of what I’m working with. Again, Centrify makes a great product, and I was very happy to have chosen it for my needs at my previous employer.  However, I’ve chosen to move forward with this open source company (Likewise Software) for the next stage of my career, and will continue to write about software and integration with a view towards open source software.

Thanks for continuing to read!

Robert Auch

 

2008-02-22

Akismet on WordPress

Posted by Robert Auch under Open Source Software, Security
Leave a Comment 

As of today:

“Akismet has caught 347 spam for you since you first installed it.”

That’s since 11/29/2007. Akismet has YET to miscategorize a comment as spam, and it has missed a single spam comment. All I had to do was click “this is spam” and it’s cleaned up.

The only other anti-spam product I’ve seen to perform this well is the IronPort mail system at a client. 130,000 or so attempts / day, 1 spam / day in the entire company queue, and no users complaining about spam in 5 months.

Akismet, Ironport, my hat is off to you both.

 

2008-01-12

Script: Check Webserver availability

Posted by Robert Auch under Networking, Open Source Software
Leave a Comment 

We’ve been having some server uptime/stability issues, and aren’t getting alerts from HP Systems Insight Manager (HP SIM) that the services are down (cause they’re not, they’re just not answering on HTTP).  So I took a copy of “responder.pl” and put it into something I wrote for totalnetsolutions.net.  What came out is actually pretty nice, easily configurable, and so far this week, very stable.

We haev this running ever 3 minutes from 3 systems: 1 Windows 2003, 1 Fedora Core 8, and 1 Kubuntu Gutsy Gibbon.  Requires Net::SMTP, Config::INIFiles, LWP::UserAgent, and HTTP::Request.  The only one that I’ve needed to download and install is Config::INIFiles on any of those 3 systems.  But I do have LWP::Simple on all systems, so I’m not sure if you’ll need the last 2.  This is my first published code other than 3 line bash scripts, so be kind in comments.

Feel free to take and use / improve / update this – I’d just appreciate if you’d let me know so I can update this version here.  The parseIni() function checks that all “URL”s are in http://www.google.com format or http://64.233.167.99 format (it checks for http:// followed by text followed by what appears to be a valid TLD format, or it checks for http:// followed by an IP address).  I have yet to add in the regex to look for a valid full URI, because I didn’t need that yet.

This is upgraded over responser.pl in that:

  1. It will send to any number of SMTP recipients (comma-separated)
  2. It will silence its alerting if *all* checked addresses are down.  If the monitoring system gets unplugged from the network, it won’t attempt to send hundreds of alerts upon regaining access.  Or if you’re testing from a DSL line, you won’t get alerts because the DSL line went down, but the actual target was up.  The next version will have this as an option in the INI file.
  3. It uses standard INI file formatting, rather than a parsed text file.
  4. it runs out of the box (so to speak) on Windows (ActivePerl) or Linux (Fedora and Ubuntu both tested).
  5. It has better inline documentation.

The major problem is that a minimum of 2 URLs are needed in the INI file for the full logic to work.  You can get around this for small networks by adding in the DNS domain for one, and the IP address for the other. 

Thanks, and please share any concerns or problems.

chk-web.pl

 

« Previous PageNext Page »