Blog


Creating Your Own Bazaar Server

posted Sep 17, 2012, 8:52 AM by Andre Rossouw

 - Original content: 2011 © Michael Lustfield (http://michael.lustfield.net/content/creating-your-own-bazaar-server)

Install SSH server and BZR
sudo aptitude install openssh-server bzr

Configure file system and group permissions
All bzr branches should be in same directory/partition and should be accessed via: bzr+ssh://server.com/bzr/branch

Get into the branch directory
cd /bazaar

Create a directory for branch content
mkdir bzr

Make a nice short directory name to this
cd /
ln -s /bazaar/bzr

Create generic group, bzr. Members of this group will be able to push.
groupadd bzr

Assign group to branches
chown root:bzr /bazaar/bzr

Set generic permissions
chmod 770 /bazaar/bzr

Set the sticky bit
chmod +s /bazaar/bzr

Add user to bzr group:
usermod -a -G bzr username


For special projects or tighter security, create additional groups and assign to relevant branches:
Create new group
groupadd bzr-special

Set permissions on branch
chown -R root:bzr-special /bzr/branch

Add users to the special group
usermod -a -G bzr-special username


Get Members of Windows Security Groups

posted Sep 12, 2012, 3:35 AM by Andre Rossouw   [ updated Sep 12, 2012, 3:36 AM ]

Get the list of members of a security groups mentioned in a text file. This is very useful when you want a list of user accounts for Security Groups.

Steps:

  1. Create a text file: GroupNames.txt
  2. Copy all the group names (do not copy the DN of the Group, only the group name. For example, Administrator)
  3. Run the following command:

For /f "Tokens=*" %a in (GroupNames.txt) Do DsQuery group -name "%a" | DsGet group -members -expand > GroupName_%a.txt

The above command will create a file by that group name and all the members of that group will be saved in that group file.

Make my fox run faster!

posted Mar 16, 2012, 8:15 AM by Andre Rossouw

Ok, Here you go:

Make the following changes in about:config

Edit the following keys:

network.http.pipelining --> true
network.http.proxy.pipelining --> true
network.http.pipelining.maxrequests --> 8

Create the new keys:

nglayout.initialpaint.delay --> Integer --> 0
content.notify.interval --> Integer --> 500000
content.notify.ontimer --> Boolean --> true
content.switch.threshold --> Integer --> 250000
content.interrupt.parsing --> Boolean --> false

Accessing CIFS shares via CNAME records

posted Nov 14, 2011, 6:43 AM by Andre Rossouw

Had issues with CNAME's and access to Windows CIFS shares.
Extract from: http://serverfault.com/questions/23823/how-to-configure-windows-machine-to-allow-file-sharing-with-dns-alias

Outline

  1. The Problem
  2. The Solution
    • Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)
    • Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)
    • Providing browse capabilities for multiple NetBIOS names (OptionalNames)
    • Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)
  3. References

1. The Problem

On Windows machines, file sharing can work via the computer name, with or without full qualification, or by the IP Address. By default, however, filesharing will not work with arbitrary DNS aliases. To enable filesharing and other Windows services to work with DNS aliases, you must make registry changes as detailed below and reboot the machine.

2. The Solution

Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)

This change alone will allow other machines on the network to connect to the machine using any arbitrary hostname. (However this change will not allow a machine to connect to itself via a hostname, see BackConnectionHostNames below).

  • Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value DisableStrictNameChecking of type DWORD set to 1.

Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)

This change is necessary for a DNS alias to work with filesharing from a machine to find itself. This creates the Local Security Authority host names that can be referenced in an NTLM authentication request.

To do this, follow these steps for all the nodes on the client computer:

  1. To the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0, add new Multi-String Value BackConnectionHostNames
  2. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
    • Note: Type each host name on a separate line.

Providing browse capabilities for multiple NetBIOS names (OptionalNames)

Allows ability to see the network alias in the network browse list.

  1. Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value OptionalNames of type Multi-String
  2. Add in a newline delimited list of names that should be registered under the NetBIOS browse entries
    • Names should match NetBIOS conventions (i.e. not FQDN, just hostname)

Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)

NOTE: Should not need to do this for basic functions to work, documented here for completeness. We had one situation in which the DNS alias was not working because there was an old SPN record interfering, so if other steps aren't working check if there are any stray SPN records.

You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

To view the Kerberos SPNs for the new DNS alias records, use the Setspn command-line tool (setspn.exe). The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 startup disk.

How to use the tool to list all records for a computername:

setspn -L computername

To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername

3. References

All the Microsoft references work via: http://support.microsoft.com/kb/

  1. Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    • Covers the basics of making file sharing work properly with DNS alias records from other computers to the server computer.
    • KB281308
  2. Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
    • Covers how to make the DNS alias work with file sharing from the file server itself.
    • KB926642
  3. How to consolidate print servers by using DNS alias (CNAME) records in Windows Server 2003 and in Windows 2000 Server
    • Covers more complex scenarios in which records in Active Directory may need to be updated for certain services to work properly and for browsing for such services to work properly, how to register the Kerberos service principal names (SPNs).
    • KB870911
  4. Distributed File System update to support consolidation roots in Windows Server 2003
    • Covers even more complex scenarios with DFS (discusses OptionalNames).
    • KB829885

Promiscuous Mode and interfaces

posted Sep 6, 2011, 12:58 PM by Andre Rossouw

Promiscuous mode is required for correct operation of bridging - especially with OpenVPN in bridge mode as a guest. Example interfaces file:

# The loopback network interface auto lo iface lo inet loopback # Create our bridge interface using a static IP address on the network auto br0 iface br0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 pre-up ifconfig eth0 down pre-up ifconfig eth0 0.0.0.0 promisc up pre-up brctl addbr br0 pre-up brctl addif br0 eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off # Configure the actual Ethernet device in promiscuous mode and # add it to the bridge iface eth0 inet manual pre-up ifconfig eth0 0.0.0.0 promisc up pre-up brctl addif br0 eth0 pre-down brctl delif br0 eth0 pre-down ifconfig eth0 down

As a side note - Microsoft Hyper-V does not support promiscuous mode. This equals a fail for any services that need this, typically security, vpn and packet inspection appliances.
Hyper-V has only wasted 2 days of my life... :|

Installing Nvidia drivers on Ubuntu

posted Oct 13, 2010, 5:33 AM by Andre Rossouw   [ updated Oct 13, 2010, 5:40 AM ]

Edit /etc/modprobe.d/blacklost.conf by adding the following lines:

blacklist vga16fb
blacklist nouveau
blacklist rivafb
blacklist nvidiafb
blacklist rivatv

Reboot the machine. Once restarted Ctrl+Alt+F2 and login.

sudo service gdm stop

Run the Nvidia installer.

wget, Ubuntu 10.04 and environment variables

posted Aug 13, 2010, 5:29 AM by Andre Rossouw   [ updated Oct 13, 2010, 5:42 AM ]

On Ubuntu 10.04 wget will not work through a proxy. From reading all other posts related to wget and proxies, wget is meant to honour environment variables such as http_proxy.
In my experience though, wget will simply not honour these variables. Unless it is run as root... not sudo, mind you, *root*.

So for me to fix my flashplugin-installer issue, I had to run it as root.

$ sudo su -

# export http_proxy="proxy:port"
# apt-get -y remove flashplugin-installer
# apt-get -y install flashplugin-installer

exit

Then I mosey along to launchpad to see if I can report this. Eh... no.

1-7 of 7