I often want to use an Xserver under Windows for connecting to a linux host.
After quite a while of using cygwin to acheive this, I discovered Xming which is based on the same xwindow code but is packaged specifically for providing a windows Xserver. Much simpler to use than installing and configuring cygwin which invariably involves editing the PATH variable on the windows machine and creating a suitable launch icon.
However, if your window manager on the client is KDE, you may well find that if you enable the clipboard support then the Xserver will hang immediately after login using XDMCP.
The solution to this is to edit your gdm.conf file and add the line
KillInitClients=false
in the [daemon] section
Restart gdm and you'll find that you can login and all will work.
Sunday, 18 November 2007
Friday, 16 November 2007
Internal modem on a Dell Inspiron 5100 under Linux
Following an incident where I was forced to use GPRS on my mobile to connect back to work I've finally got round to sorting out the modem connection on the Inspiron 5100 that I use for remote work so that I can use it under linux.
It comes with a PC Tel soft modem which doesn't just appear as a /dev/ttyS? port.
The solution is quite simple
apt-get install build-essential module-assistant sl-modem-source
m-a update
m-a prepare
m-a a-i sl-modem
apt-get install sl-modem-daemon
This detects the modem and symlinks it to /dev/modem
It comes with a PC Tel soft modem which doesn't just appear as a /dev/ttyS? port.
The solution is quite simple
apt-get install build-essential module-assistant sl-modem-source
m-a update
m-a prepare
m-a a-i sl-modem
apt-get install sl-modem-daemon
This detects the modem and symlinks it to /dev/modem
Monday, 5 November 2007
Citrix Metraframe client on Linux
For a software demo we're having, I needed to install a Citrix Metaframe client. My desktop of choice is Linux and so I downloaded the linux version of the ICA client from http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=3323&pID=186
The software installed fine, as per the Admin guide, but there were a couple of extra bits needed.
Firstly the motif libraries. As I'm running debian etch, and there's no longer a debian version of the motif libraries, I had to download the .deb file for these from an old distro (sarge) and use dpkg to install it.
libmotif3_2.2.3-1_i386.deb was the file in question.
Then, having used Iceweasle (Firefox under any other name) to connect to the citrix box, I was getting 'You have not chosen to trust "Equifax Secure Global eBusiness CA-1", the issuer of the server's security certificate.' when launching one of the applications.
The solution was to go to
http://www.geotrust.com/resources/root_certificates/index.asp
and download the Equifax Secure Global eBusiness CA-1 certificates (note - use right click save as other wise you'll just be trying to install them in the browser) and then copy the files to
/usr/lib/ICAClient/keystore and restart Iceweasle
The software installed fine, as per the Admin guide, but there were a couple of extra bits needed.
Firstly the motif libraries. As I'm running debian etch, and there's no longer a debian version of the motif libraries, I had to download the .deb file for these from an old distro (sarge) and use dpkg to install it.
libmotif3_2.2.3-1_i386.deb was the file in question.
Then, having used Iceweasle (Firefox under any other name) to connect to the citrix box, I was getting 'You have not chosen to trust "Equifax Secure Global eBusiness CA-1", the issuer of the server's security certificate.' when launching one of the applications.
The solution was to go to
http://www.geotrust.com/resources/root_certificates/index.asp
and download the Equifax Secure Global eBusiness CA-1 certificates (note - use right click save as other wise you'll just be trying to install them in the browser) and then copy the files to
/usr/lib/ICAClient/keystore and restart Iceweasle
Thursday, 1 November 2007
SMTP AUTH using exim and PAM
I want to use SMTP AUTH to enable road warriors to send though the office mail server - but I don't want yet another set of user names and passwords - so what I need is to use PAM to plug in to the existing Linux authentication mechanism.
This can actually be done quite easily with exim4 (the MTA that we use)
First of all, you'll want to be running the daemon-heavy debian version of exim with split up configuration files.
Then, in /etc/exim4/conf.d/auth add a local config file with:
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
You could rename these auth drivers if needed if they conflict with existing ones - or probably comment out the existing ones.
In /etc/exim4/conf.d/main set
MAIN_TLS_ENABLE = true
in a local config files (before the 03 TLS one) and
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
to only allow AUTH if TLS is running.
Then in /etc/pam.d create a config file for exim.
I have simply:
#
# The PAM config file for exim SMTP
#
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-password
@include common-session
To make it match everything else on the host but you could tailor.
You'll need a set of certificates for the TLS communication. Self signed ones can be produces by /usr/share/doc/exim4-base/examples/exim-gencert
The final step is to make Debian-exim a member of the shadow group so that it can read the shadow passwords and actually do the authentication.
One further change I do is to prevent authenticated mails from being scanned by spamassassin.
In the rcpt acl I add
Then in /etc/exim4/sa-exim.conf
SAEximRunCond: ${if and {{def:sender_host_address} {!match {$sender_host_address}{\N^(192\.168\.*)|(127\.0\.0\.1)$\N}} {!eq{$acl_m0}{do-not-scan}} } {1}{0}}
Which means that spamassassin won't be called for mail originating on the local network or with the acl_m0 header set to do-not-scan
This can actually be done quite easily with exim4 (the MTA that we use)
First of all, you'll want to be running the daemon-heavy debian version of exim with split up configuration files.
Then, in /etc/exim4/conf.d/auth add a local config file with:
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
You could rename these auth drivers if needed if they conflict with existing ones - or probably comment out the existing ones.
In /etc/exim4/conf.d/main set
MAIN_TLS_ENABLE = true
in a local config files (before the 03 TLS one) and
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
to only allow AUTH if TLS is running.
Then in /etc/pam.d create a config file for exim.
I have simply:
#
# The PAM config file for exim SMTP
#
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-password
@include common-session
To make it match everything else on the host but you could tailor.
You'll need a set of certificates for the TLS communication. Self signed ones can be produces by /usr/share/doc/exim4-base/examples/exim-gencert
The final step is to make Debian-exim a member of the shadow group so that it can read the shadow passwords and actually do the authentication.
One further change I do is to prevent authenticated mails from being scanned by spamassassin.
In the rcpt acl I add
# Prevent auth users from being scanned by Spamassassin
warn authenticated = *
set acl_m0 = do-not-scan
Then in /etc/exim4/sa-exim.conf
SAEximRunCond: ${if and {{def:sender_host_address} {!match {$sender_host_address}{\N^(192\.168\.*)|(127\.0\.0\.1)$\N}} {!eq{$acl_m0}{do-not-scan}} } {1}{0}}
Which means that spamassassin won't be called for mail originating on the local network or with the acl_m0 header set to do-not-scan
Tuesday, 30 October 2007
Hiding accounts on XP
If you're running XP with the "chooser" login method, you can hide certain accounts from the list so that you have to do Ctrl-Alt-Del to login as them
Use regedit to access the registry and browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Add a DWORD in there who's name is the user name in question with a value of 0
Use regedit to access the registry and browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Add a DWORD in there who's name is the user name in question with a value of 0
Tuesday, 23 October 2007
Producing encoded URLs with CGI.pm
I was in need of some URLs with the special characters (like space, & etc) escaped. They contain parameters that are being read from a database which are text search strings.
It turns out that the escape() function in CGI.pm will do what is needed - but it's not a standard function that is available when you just use CGI. You have to
use CGI qw/escape /;
to make the function available.
It turns out that the escape() function in CGI.pm will do what is needed - but it's not a standard function that is available when you just use CGI. You have to
use CGI qw/escape /;
to make the function available.
Monday, 22 October 2007
Web browser built in search engine links
We've started investigating linking the GoodnessDirect search page into the search box found on browsers like Firefox 2 and Internet Explorer 7.
The technique for this is actually really simple. You create an XML file to the OpenSearch standard, host it on your web server and add a reference to that in the head of your web pages.
The XML file looks something like this:
One little snag we hit was that our site makes a lot of use of extended path info as processed by Apache. This is fine with searches that are just single words or words with single spaces between them, but each space is translated into a + and the resulting ++ of two spaces causes the CGI processor to get upset. So we changed to using GET parameters for this and all is well.
The suggestionsURL above is used to produce some suggestions for the drop down box you get in the search bar. It's up to you as to how you handle this and you simply return a JSON array with the results such as:
["tofu",["tofu", "tofutti", "tofutti rock n roll cones 4x110ml", "tofutti rock 'n roll non-dairy ice cream cake 700ml", "tofutti organic vanilla non-dairy frozen dessert 750ml", "tofutti mango & passion fruit non-dairy frozen dessert 750ml", "tofutti organic strawberry non-dairy frozen dessert 750ml", "blue dragon tofu, firm silken style 349g", "taifun graffiti tofu terrine 200g", "danival organic tofu ravioli 670g", "danival organic lentils and tofu with vegetables 525g", "tofutti sour supreme 227g"],[],[]]
the first item is the term that the user entered, then you have an array of suggestions, then an optional array of descriptions of the suggestions, then an optional array of urls for the array.
The technique for this is actually really simple. You create an XML file to the OpenSearch standard, host it on your web server and add a reference to that in the head of your web pages.
The XML file looks something like this:
<?xml version="1.0" encoding="UTF-8" ?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/"
xmlns:moz="http://www.mozilla.org/2006/browser/search/">
<shortname>EngineName</shortname>
<description>EngineDescription</description>
<inputencoding>UTF-8</inputencoding>
<image width="16" height="16">ImageData</image>
<url type="text/html" method="GET" template="searchURL?query={searchTerms}">
<Url type="application/x-suggestions+json" method="GET"
template="suggestionsURL?search={searchTerms}" />
<moz:searchform>searchPageURL</moz:SearchForm>
</opensearchdescription>
One little snag we hit was that our site makes a lot of use of extended path info as processed by Apache. This is fine with searches that are just single words or words with single spaces between them, but each space is translated into a + and the resulting ++ of two spaces causes the CGI processor to get upset. So we changed to using GET parameters for this and all is well.
The suggestionsURL above is used to produce some suggestions for the drop down box you get in the search bar. It's up to you as to how you handle this and you simply return a JSON array with the results such as:
["tofu",["tofu", "tofutti", "tofutti rock n roll cones 4x110ml", "tofutti rock 'n roll non-dairy ice cream cake 700ml", "tofutti organic vanilla non-dairy frozen dessert 750ml", "tofutti mango & passion fruit non-dairy frozen dessert 750ml", "tofutti organic strawberry non-dairy frozen dessert 750ml", "blue dragon tofu, firm silken style 349g", "taifun graffiti tofu terrine 200g", "danival organic tofu ravioli 670g", "danival organic lentils and tofu with vegetables 525g", "tofutti sour supreme 227g"],[],[]]
the first item is the term that the user entered, then you have an array of suggestions, then an optional array of descriptions of the suggestions, then an optional array of urls for the array.
Wednesday, 17 October 2007
CUPS and lpd jobs
On a couple of occasions I've updated CUPS print servers that are receiving jobs by lpd (one from OpenVMS and one from SCO OpenServer)
In both instances the jobs are simple plain text just to be thrown out again, usually to a dot matrix printer.
Some gotchas occurred in both cases!
Firstly, as of CUPS 1.2, the default is for banner pages to be printed on lpd received jobs. This is compounded by the fact that the banners are postscript and I'm sending jobs on raw to dot matrix printers - which don't make a great job of interpreting postscript!
The solution for that one is to amend the line in inetd.conf which runs the cups lpd server to look like:
printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd -o job-sheets=none,none -o document-format=text/plain
thereby forcing the lack of banners and the document format.
The other problem I had was in the set up that receives jobs from the SCO box. This was a CUPS authentication issue. The lpd daemon calls CUPS to inject print jobs, but doesn't do any authentication as it does so. So the areas that it needs access to (/printers and /jobs) need to be able to be accessed without authentication.
The cupsd.conf for the server in question had:
<Location /jobs>
AuthType Basic
AuthClass User
</Location>
Thereby requiring authentication for /jobs which the lpd daemon wasn't passing on.
In both instances the jobs are simple plain text just to be thrown out again, usually to a dot matrix printer.
Some gotchas occurred in both cases!
Firstly, as of CUPS 1.2, the default is for banner pages to be printed on lpd received jobs. This is compounded by the fact that the banners are postscript and I'm sending jobs on raw to dot matrix printers - which don't make a great job of interpreting postscript!
The solution for that one is to amend the line in inetd.conf which runs the cups lpd server to look like:
printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd -o job-sheets=none,none -o document-format=text/plain
thereby forcing the lack of banners and the document format.
The other problem I had was in the set up that receives jobs from the SCO box. This was a CUPS authentication issue. The lpd daemon calls CUPS to inject print jobs, but doesn't do any authentication as it does so. So the areas that it needs access to (/printers and /jobs) need to be able to be accessed without authentication.
The cupsd.conf for the server in question had:
AuthType Basic
AuthClass User
Thereby requiring authentication for /jobs which the lpd daemon wasn't passing on.
Friday, 12 October 2007
IPCop with Cop+ filtering
IPCop is a simple to install linux based firewall solution. You can add a content filtering proxy to it in the form of Dansguardian by adding a package called Cop+. However, the default IPCop set up doesn't include much swap space - it tends not to need much memory. Dansguardian is a bit memory hungry due to all the data it has to use to do the filtering so you can end up running out.
I use the following to make sure that there's sufficient swap space available
swapoff -a # turn off existing swap space
dd if=/dev/zero of=/swapfile bs=1024 count=524288 # rewrite the swap file to 512Mb
mkswap /swapfile # format the new swap file
swapon /swapfile # turn on the new swap space
With this set up I haven't run into any memory issues.
I use the following to make sure that there's sufficient swap space available
swapoff -a # turn off existing swap space
dd if=/dev/zero of=/swapfile bs=1024 count=524288 # rewrite the swap file to 512Mb
mkswap /swapfile # format the new swap file
swapon /swapfile # turn on the new swap space
With this set up I haven't run into any memory issues.
Wednesday, 10 October 2007
Samba 3 SID issue
When I first migrated a machine to Samba 3 I had all sorts of fun with picking up the old user profiles. The SID of the machine was stubbornly refusing to be what it should be and looking at the output of smbclient -L, the machine was in it's own "domain" rather than the correct one.
Eventually, I found that by setting "workgroup" to the domain name and "netbios name" to the host name, it behaved itself and properly created users with the right SID.
The other gotcha is that if you ever change the workgroup or netbios name then the SID is regenerated. So for porting profiles from one machine to another, the trick is to get these settings in smb.conf correct first, restart samba, then stop samba, copy secrets.tdb between the machines and then start it up again. That way you can migrate the domain SID around safely and the old user profiles continue to work.
Eventually, I found that by setting "workgroup" to the domain name and "netbios name" to the host name, it behaved itself and properly created users with the right SID.
The other gotcha is that if you ever change the workgroup or netbios name then the SID is regenerated. So for porting profiles from one machine to another, the trick is to get these settings in smb.conf correct first, restart samba, then stop samba, copy secrets.tdb between the machines and then start it up again. That way you can migrate the domain SID around safely and the old user profiles continue to work.
Amanda essentials on Debian etch
The version of amanda that ships with Debian etch has got a bit more sophisticated in it's authentication.
Out of the box, it doesn't let you restore with amrecover. Here's the changes I've had to do to make it work.
Firstly, in /etc/inetd.conf the amanda service lines change to:
amandaidx stream tcp nowait backup /usr/sbin/tcpd /usr/lib/amanda/amindexd -auth=bsd amdump amindexd amidxtaped
amidxtape stream tcp nowait backup /usr/sbin/tcpd /usr/lib/amanda/amidxtaped -auth=bsd amdump amindexd amidxtaped
amanda dgram udp wait backup /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
inetd then needs restarting to pick up this change
Then in /etc/amandahosts, "amindexd amidxtaped" needs adding to any lines giving root access to do the restore
Out of the box, it doesn't let you restore with amrecover. Here's the changes I've had to do to make it work.
Firstly, in /etc/inetd.conf the amanda service lines change to:
amandaidx stream tcp nowait backup /usr/sbin/tcpd /usr/lib/amanda/amindexd -auth=bsd amdump amindexd amidxtaped
amidxtape stream tcp nowait backup /usr/sbin/tcpd /usr/lib/amanda/amidxtaped -auth=bsd amdump amindexd amidxtaped
amanda dgram udp wait backup /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
inetd then needs restarting to pick up this change
Then in /etc/amandahosts, "amindexd amidxtaped" needs adding to any lines giving root access to do the restore
Tuesday, 9 October 2007
Virtual Machines
One of my recent investigations has been into using Virtual machines (tried both Xen and VMware) to consolidate some services and get rid of some ancient stand alone windows machines.
I've now got rid of three windows machines and replaced them by two VMware machines. The host is a Debian etch box and the guest is a windows XP machine.
One of the key issues for what I've wanted to do is providing the right hardware to the guest machines. In particular, one of them needs a parallel port for a dongle and three serial ports for modems and a data logger. The parallel port wasn't a problem as VMware can pass through the native port on the host machine. For the serial ports one of the added complications was that two of them need to be at quite a distance from the host. So, I've got hold of some Perle IOLan DS single port terminal servers. These have a mode of operation called Trueport where they can provide a virtual serial port to a remote computer. If you combine these with PoE splitter units (I've got the ones by Level One - very nice little boxes that will give you 5, 7.5, 9 or 12 V out to power your device) then you get a remote serial port anywhere on your network.
So far I've got this method working for the data logger and one of the modems. The other modem is being a little more stubborn. It would appear that there's some kind of issue with windows dialup networking and this way of connecting a modem that isn't entirely happy. So for now, the dialup networking modem is connected to the serial port on the host which is being passed through to the guest.
I've now got rid of three windows machines and replaced them by two VMware machines. The host is a Debian etch box and the guest is a windows XP machine.
One of the key issues for what I've wanted to do is providing the right hardware to the guest machines. In particular, one of them needs a parallel port for a dongle and three serial ports for modems and a data logger. The parallel port wasn't a problem as VMware can pass through the native port on the host machine. For the serial ports one of the added complications was that two of them need to be at quite a distance from the host. So, I've got hold of some Perle IOLan DS single port terminal servers. These have a mode of operation called Trueport where they can provide a virtual serial port to a remote computer. If you combine these with PoE splitter units (I've got the ones by Level One - very nice little boxes that will give you 5, 7.5, 9 or 12 V out to power your device) then you get a remote serial port anywhere on your network.
So far I've got this method working for the data logger and one of the modems. The other modem is being a little more stubborn. It would appear that there's some kind of issue with windows dialup networking and this way of connecting a modem that isn't entirely happy. So for now, the dialup networking modem is connected to the serial port on the host which is being passed through to the guest.
Monday, 24 September 2007
Tape drive fun
Following the upgrade of a server from debian sarge to etch over the weekend, the backup software (amanda) decided that it didn't want to properly access the drive.
This was particularly odd as I've done several other upgrades from sarge to etch without a problem (or at least without problems to do with amanda) already. It turns out that the issue is with the particular tape drive in question (a USB connected HP DDS4 drive) being fussy about the tape block size. Downloading the amanda source and re-compiling with the tape block size (in the debian/rules file) set to 64 - the debian default was 256.
This was particularly odd as I've done several other upgrades from sarge to etch without a problem (or at least without problems to do with amanda) already. It turns out that the issue is with the particular tape drive in question (a USB connected HP DDS4 drive) being fussy about the tape block size. Downloading the amanda source and re-compiling with the tape block size (in the debian/rules file) set to 64 - the debian default was 256.
Subscribe to:
Posts (Atom)