Apache 2.2 PAM troubles

This time i had to configure an apache to use pam to connect through winbind to an Active Directory.

Basically i was trying to port an Apache 2.0 vhost to Apache 2.2 since we are switching servers.

It took me some time until we found a bugreport indicating why it is not working anymore..

AuthBasicAuthorative Off

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394097

SATA Problems Part II

Last weekend i got the replacement disk for my broken sata disk and reinstalled it. I found a manual quite quick but had some serious problems since i either got one of the two following errors while trying to rebuild the raid 1 array:

ata1: Timeout
ata1: DMA Timeout

Although i had some ideas what could be wrong my last solution was to change the SATA Cable and that was all it needed...


Rebuild Array

To rebuild an array with a clean disk i found this guide useful:
http://www200.pair.com/mecham/raid/raid1-degraded-etch.html

Although it was written for IDE Disks you can use it also for SATA..

Here the needed parts extracted:
We start by copying the partition structure from /dev/hda to /dev/hdc. We do this for what should now be an obvious reason: the secondary drive is empty, but it needs to have the same structure as the primary drive. If the disk was first cleaned, and is large enough, you should have no errors (but you may still have to --force it):

sfdisk -d /dev/hda | sfdisk /dev/hdc

We make sure the superblocks are zeroed out on the new drive (as always, be careful you do this to the correct drive). Edit as needed:

mdadm --zero-superblock /dev/hdc1
mdadm --zero-superblock /dev/hdc5
mdadm --zero-superblock /dev/hdc6

Now we add our three hdc partitions to the corresponding md's.
Understand what you are doing here before you do it, edit as needed:

mdadm --add /dev/md0 /dev/hdc1
mdadm --add /dev/md1 /dev/hdc5
mdadm --add /dev/md2 /dev/hdc6

Watch them sync:
watch -n 6 cat /proc/mdstat

Once the recovery is complete (and not until then), create a new boot records on both drives:
grub

From the grub> prompt (edit partition number if needed):
root (hd0,0)
setup (hd0)
root (hd1,0)
setup (hd1)
quit

PHP5 DomDocument schemaValidation problems

First i have to tell about a SOAP Connection to a webservice. I don't know if the developers ever thought about SOAP more than just a quick thought how can we transfer data, since from my end it looks as if they have absolute no idea what they were doing.

We have a Service that holds a bunch of personal data which we have to transfer to the webservice of an higher instance. Now you would think they provide a SOAP Connection where there are a lot of functions to send them the data for every person.. but no.. there are only two functions:

• One which wants a XML String where all personal data has been collected together and
• a second one which wants the same string as zip

So you see the whole point of the SOAP connection is just to send them the already prepared XML Files and then they work with the collected data somehow internal.

Fortunately they provided a xsd file so i was able to add additional validation to ensure the data is valid.

Now i created the XML Files using php5 DomDocument. The library makes it really easy to create Elements and it also holds a schemaValidation functionality.

I don't want to get into to much detail but when i said that they want all personal data of all people collected in one file you will notice that it would not be a good idea creating first all users in one file and then check if that file is ok... or perhaps i am just the only paranoid here, but i wanted to know exactly which person is making troubles.

So my code first creates the xml data for each person separately (although cached) and then i add the xml data to an prepared xml so i can validate against the schema.

The Problem
Now we get to the point. My Function first creates a Validation XML which helds all the markup and then adds the XML Data of the person using DomDocument->importNode and then appendChild at the correct position.

Unfortunately the schemaValidation finds errors where there are not really one, or so i thought. I got Error Messages which i was unable to see anything wrong. But i found a workaround.
Using DomDocument->loadXML(DomDocument->saveXML()) just before the validation i was able to sort of "normalize" the DomDocument and the schemaValidation worked.

I am not sure if the schemaValidation was just not designed for such a work or i did misjudge and used it completely wrong. But since there is not much documentation at php.net i had no other way.

SATA problems

I had some serious problems with my Server concerning some sata harddisks. Unfortunately not only my raid 0 system with a one year old Samsung SpinPoint was broken (i sent the disk to samsung) also another disk failed with serious failures and locked my system.

So i bought a new one and wanted to transfer the data from the broken one as good as possible to the new one before it completely fails. But i was stopped by my own ignorance.. the new 500GB disk was not working with the sata Controller onboard.. so when i went back to change it into a smaller disk (since i thought there are some size restriction in effect which stopps my controller to get it working with the disk) they just told me to jumper the disk to sata I and try again..

Not only is this jumper setting not explained in the small tiny manual which is normally shipped with the disks, i also called the support Hotline preview to this incident to confirm my theory (with the size) and was a little angry they have not told me this on the phone before.. Not that i have much to do, i am just a workaholic with a family and a little girl....

Never less i used the jumper setting they told me and tried again.. first the controller had troubles recognizing the disk but after another restart it was finally there.
Good, now all i have to do is partioning the disk and then create a filesystem.. but then the same errors appeared on the disk as on the old one.. NOT AGAIN...

Another mistake of me was to define the problem with the Controller... ok it's a via chipset and it has some troubles with maxtor 500GB disks and i am not very found of it and maybe it is also a reason for the problems. Either way i just bought a pci sata Controller and installed it.. and it found both sata disks (not my raid array, that is on another sata controller.... ok now that sounds more complicated than it really is.) and after booting linux i tried to mount both disks.

The new one did not have any problems, i was able to recreate the partition and installed a filesystem, but the old one still got some errors by mounting readonly:

sd 5:0:0:0: SCSI error: return code = 0x8000002
sdc: Current: sense key: Aborted Command
Additional sense: Scsi parity error
end_request: I/O error, dev sdc, sector 206307443
lost page write due to I/O error on sdc1
ATA: abnormal status 0xFF on port 0xFFFFC2000004439C
ata6: status=0xff { Busy }

Luckily i found a site which proposed to change the sata cable. Since i changed it to the one shipped with the controller the disk run as smooth as ever.

Now i could be pretty angry for searching this little fellow for about two weeks but i am just relieved that the data on the disk are ok. Naturally the first thing i did was to backup the complete disk to the new one before laying my hand into the fire ;-)

vserver with different Architecture

My system is a little weird since i did a poor job installing linux: i installed a 32 bit system on a 64bit architecture and then just changed the kernel.

Now installing a new vserver with debootstrap it automatically uses the source system which in my case is 32bit and therefore i got the errors:

kernel: IA32 syscall 311 from ...

It finally annoyed me enough, so i asked a friend and with his help i finally managed to change the architecture when installing a new vserver:

newvserver --hostname name --domain domain --ip ip --dist testing --interface eth0 --arch amd64 --context context

Not only i got rid of the warnings, i experienced a slight boost in performance. But maybe this is because of the source of the error. Now i am installing all vservers again in 64bit and move forward.

LDAP the second - Apache2

After getting LDAP Working on PAM the next move was to get it working with Apache. I tried several ways:

• direct contact to the AD through LDAP
• using PAM
• using Kerberos

and i was able to get it working through LDAP. For that i needed the module authnz_ldap and lap. Then all i had to do is to get the correct Authorization config into the virtual host:

<directory>
...

AuthType Basic
AuthName "LDAP"
AuthBasicProvider ldap
AuthLDAPBindDN cn=ldapauth,ou=Users,dc=your,dc=domain,dc=com
AuthLDAPBindPassword password
AuthLDAPURL "ldap://yourdomain.com:389/ou=Users,dc=your,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative off

Require valid-user

...
</directory>

Some Explanations: The AuthBasicProvider is needed as of Apache 2.2 since else you will get an error Message.

Links:

• http://www.rrze.uni-erlangen.de/dienste/arbeiten-rechnen/linux/howtos/ldap/anwendungen/apache.shtml (German)
• http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattributeisdn
• http://www.le.ac.uk/cc/sh23/adldap.html
• http://support.microsoft.com/kb/555092
• http://thomas-howard.com/Reference/Articles/Apache+AD/
• http://www.issociate.de/board/post/328656/LDAP_authentification_from_2.0_to_2.2.html
  

Ldapping the World - Active Directory and PAM

Introduction
Working with multiple vservers we started thinking about using a single user database for all authentications. Since we are using a MS Server with Exchange and so on it was decided that the Active Directory (AD) of that Server is our User database.

Next we had to get everything under Linux configured to authenticate against our AD, which meant we had to configure PAM to use our AD. Now there are two ways to do that: Winbind and LDAP. Winbind was used before and we had some real bad problems when the Windows Server has been restarted so we thought of using LDAP. Beside that, we did not want to install Samba on all Vservers.

Now to get LDAP working there are some small thoughts you have to consider: First, you need openldap (or similar) to get information from LDAP, but to authenticate you have to use at least kerberos. There are other ways also, but i wanted to keep it as simple as possible and security measurements (clear text passwords,...) were not in consideration at this point.

Our System:
- Windows Server 2003
- Debian Linux testing (at this point)

Windows
You will have to adjust also the Windows Server since it has to add some more Fields for Unix to the Active Directory. Depending on your system there are multiple ways and they are all explained in the links i added at the end. We used Microsofts Services for Unix 3.5 (SFU).

Then i added a new user ldapauth for the communication, and i adjusted my own user for testing, which means i activated the Unix Attributes and set everything.

ldapsearch
First i had to get ldapsearch working. For that i installed ldap-client

apt-get install ldap-client libnss-ldap

and then i backuped the /etc/ldap/ldap.conf file because i made a symbolic link to /etc/libnss_ldap.conf:

HOST yourhost.com
base ou=Users,dc=your,dc=host,dc=com
uri ldap://yourhost.com/
ldap_version 3
binddn cn=ldapauth,ou=Users,dc=your,dc=host,dc=com
bindpw password
nss_base_passwd ou=Users,dc=your,dc=host,dc=com?one
ss_base_shadow ou=Users,dc=your,dc=host,dc=com?one
nss_base_group ou=Groups,dc=your,dc=host,dc=com?one
nss_map_attribute rfc2307attribute mapped_attribute
nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_objectclass posixGroup Group
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl off
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name

Then i was able to use ldapsearch:

ldapsearch -x -Hldap://yourdomain.com/ "(cn=User Name),dc=your,dc=domain,dc=com" -W -DAdministrator

passwd
Now i had to change the /etc/nsswitch.conf:

passwd:         ldap files
group:          ldap files
shadow:         ldap files

normally getent passwd should first show the activated AD User and then the linux user. I had some troubles get it working correctly and used strace getent passwd to see that my users from AD have been parsed but somehow did not return in the list. Unfortunately i am not sure anymore what i have done to get this working, but i am pretty sure that it was some change in the /etc/libnss_ldap.conf.

Kerberos
Now after we have got ldap talking with AD we need kerberos installed for PAM.

apt-get instal heimdal-clients libpam-heimdal

and then i had to configure the /etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
YOURDOMAIN.COM = {
kdc = yourdomain.com:88
admin_server = yourdomain.com
default_domain = yourdomain.com
}
[domain_realm]
yourdomain.com = YOURDOMAIN.COM
.yourdomain.com = YOURDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false

You can test it with:

kinit testuser

PAM
Now finally i had to configure the pam configuration files:

• common-account

account sufficient pam_ldap.so
account required pam_unix.so

• common-auth

auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so nullok_secure

• common-password

password required /lib/security/pam_ldap.so use_authtok md5
password required pam_unix.so nullok obscure min=4 max=8 md5

• common-session

session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Enjoy!

Links:

• http://www.linux-magazin.de/heft_abo/ausgaben/2002/04/zentrale_meldestelle (German)
• http://www.linux-magazin.de/heft_abo/ausgaben/2005/05/fenster_oeffnung (German)
• http://adminspotting.net/articles/windows/Linux-and-Active-Directory.html
• http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication
• http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
• http://wiki.freaks-unidos.net/linux%20ldap%20howto#setting-up-active-directory
• http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/17wsdsu.mspx
• http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
• http://technet2.microsoft.com/WindowsServer/en/library/8196d68e-776a-4bbc-99a6-d8c19f36ded41033.mspx?mfr=true
• http://www.linuxquestions.org/questions/showthread.php?t=287606
  

Apache2 proxy on vservers

I have recently changed my internal structure from chroot to vserver, and therefore i was able to split my development system from my live system.

But unfortunately that also meant that there is only one vserver who gets the port 80 requests. I thought a long time about that and decided there must be a possibility to use apache2 as a proxy, but also to use wildcards. (I did not want to have multiple files on different systems).

For that i have installed apache2 on both machines. On the live one i have one configuration file for all proxy requests:

<virtualhost>
ServerName www.sub.example.com
ServerAlias *.sub.example.com

CustomLog sub.example.com-access.log combined
ErrorLog sub.example.com-error.log

ProxyRequests On

<proxy>
Order deny,allow
Allow from live-ip
</proxy>

ProxyPass / http://develop-ip/
ProxyPassReverse / http://develop-ip/
ProxyPreserveHost On
</virtualhost>

That way all Requests are send to the development vserver and i don't have any more headaches about it.

See also:
http://www.debian-administration.org/articles/358
http://kpumuk.info/ruby-on-rails/upgrading-apache-to-version-2-2-in-debian/

iTunes has detected an iPod in recovery mode

I have an iPod of the 5th Generation for about a year now and use it whenever i can. At work i use iTunes to control the iPod, but i am not using it for sharing my music otherwise.

Now i had this problem that iTunes showed an Error "..iPod in recovery mode.." ... what the hack? Since i sync my iPod with my home iTunes i had to recover it there (although it did not have any Problems).. now i tried it again at work: same Problem..

After a quick search i found this: http://docs.info.apple.com/article.html?artnum=304503

It suggest that the Drive Letter the iPod wants to use is used already... and that was the whole Problem all the time.

Now i ask: Why the hell could it not say it at the first sign? I mean it did never occur to me that this could be a Problem.

The Drive Letter support with USB and Network was always a Problem with XP (which had to be configured by hand) but at least there could be some information at iTunes.

life span of a LCD Beamer

My PT AE 700

About three years ago i bought a Panasonic PT AE 700 Beamer. Calulating the time how long a Lamp may live i thought i have worked it all out.. but i was wrong.

LCD Beamers are not supposed to be used the whole day, every day in the year.. just as you would use a TV.. but i thought it would only need more Lamps..

Unfortunately that's not the whole story. Without going into much technical Detail about how they work there is one piece which is the heart of it.. the LCD Panel. Basically it holds all three Panels (one for Red, Green and a Blue one) and the replacement unit costs as much as a new Beamer.

That's supposed to be a black Image.

I have now seen about 5000 Hours with that Beamer and after about 4500 there was a Blue Cloud in the Picture... this week i have some black artifacts in the Cloud... My Panel has broken before i even had changed the Lamp in it...

So my advice is: If you want to use the Beamer more than once a week, don't by a LCD.

Looking for a replacement i either would take a Plasma screen or maybe a DLP, but i am not entirely sure what costs you have with an DLP.

WinXP not as secure as some thought

Working as a Programmer in a Company i have to deal with Windows XP, since they are installed on our Machines. That includes a Windows Server where we are connected together.

Now normally i configured a Screensaver with Password to activate after a period of time so nobody can make nonsense here.

Unfortunately WinXP is not as secure as i thougth. Althought the Screensaver is active i am able to activate the special keys on my Logitech Keyboard and Start my Browser, Email, Media Player etc.

In my Opinion if the Password has to be entered to get back, you should also not be able to start anything without that Password. I think it's a serious breach, even when you can not do anything but start programs, that should not be possible.

To be complete, i always have the latest updates installed through automatic update.

ubuntu your way

I just installed ubuntu on my new/old company notebook and must say it was quite easy. Last time i tried this i had troubles with about everything, but that was about two years ago. This time everything went smooth.. i mean i had some troubles and had to install it about two times to get it up and running, but that's my fault.

The only real Program which made serious troubles was eclipse. Normally i use Vim to code but with growing projects i had to use a ide which was able to handle them. So i use eclipse and configured it to use Vim whenever i like to. (Added the editor to the php files).

Since i have a windows client i thought i just have to export my eclipse bookmarks and import them on the notebook.. wrong way.. i had so many errors that i did not know which way to go. Fortunately all was saved in the .eclipse directory in my home and i just had to delete it to start from scratch.

This time i started with one Bookmark after another, starting with PDT (since i code php) and installing all needed addons. Finally got it working.

Then subversive where i had to disable a certain update since it uses Win32 libraries (at least that what's the error message told me.)

After installing all addons i had troubles getting svn working since it showed me some kind of PROPFIND error..
Luckily i found some Sites which described the error and that i had to update java at least to version 6 and then tell eclipse to use it instead of the gcj runtime. (german site: http://forum.ubuntuusers.de/viewtopic.php?p=757773#757773)

Installing Java was not the problem, getting eclipse use it was harder. Although i changed it in my private eclipse settings (eclipserc) it still used the global java_home configuration instead so i had to change it there too.

Then finally I got it up and running with all I wanted ever..

Last Program I installed was synergy which is pretty cool! (you should try it)

apt-get has super-cow-powers

Working on the server i was puzzled when i found out my apt-get has super-cow-powers.. now i am relieved that it finally can show it's real identitiy to the world ;-)

eclipse CVS repository

Although i generally use VIM for cooding for some purposes i use eclipse.. one is a project from a colleague.

Normally i have a workspace on my own Computer while i link the project directories directly to the Server Share. That worked quite good, until now. The project is managed through CVS (although i am a fan of SVN), but eclipse has a built in CVS Client. Ok i thought, but with linked Directories i was not able to get it working.

I had to change the Project to sit directly on the Server share, not my workspace, and now it works as suspected.

Starforce at freeware

We regularly get Computer Magazines which held from time to time some CD's with data on it.

Last Year in December on one of the Discs was the Game Trackmania Nation, as free ware. Since it was entitled as free ware i thought, cool, and installed it.

What i was not aware is, that i also installed Starforce with it.

HELLO?!! F R E E W A R E ? !!

I was able to uninstall the damn thing, which of course meant i am unable to play Trackmania anymore. That led only to one conclusion.. bye bye!

I don't understand why someone was adding a software like starforce for a freeware game...

Boykott Starforce

not cost effective...

Working as a programmer for websites i have naturally to do with hosting companies. In Austria there are only a handful big Companies, e-Tel is one of them.

In e-Tel there are combined the old Hosting Companies eunet, nextra, e-Tel (of course) just to tell some big fishes. With the new year e-Tel has been bought by Telekom Austria, the biggest austrian phone provider.

We are now in the concept phase of a very big project, which i can't tell much about, but what i can tell is that it needs a whole bunch of servers load-balanced of course.

Getting offers from different Providers via Email, e-Tel called in and someone told me that it is "not cost effective" since they would have to create a whole infrastructure for our project.

I got offers from companies who are that small, that they may be smaller than the smallest branch of e-Tel. (i don't know for sure, but just to make my point).

I wonder what that means: is the company just not flexible enough or should somebody who's site is hosted there should be worried?

Worried or not i am puzzled.

Google Desktop

I am using Google Desktop in the company to quickly find files.. since Outlook and other Applications from MS are rather slow and you can't find what you really want.

But the Problem i had is that you are unable to change the Directory where to save the Indexing Files. Since it saves them onto the Local Settings of my User Account that Data would be moved back to our server with my whole profile.

I am working on the same Client PC every day, so i don't need them to be moved to the server and back, it's an unnecessary waste of resources.

Luckily i found this: http://www.oreillynet.com/pub/a/network/2004/10/14/google_desktop.html

In short:

If you want to change the location of the cache, you just need to change a registry key:

HKEY_CURRENT_USER\Software\Google\Google Desktop\data_dir

It defaults to C:\Documents and Settings\username\Local Settings\Application Data\Google\Google Desktop Search

I just exited the search with the tray icon, changed it to a folder on my D drive and moved the existing files over to the new location and then restarted it and it is now updating at the new location just dandy..

It worked like a charm ;-)

IE7 a little funny?

Recently i got some weird Warning Messages at my PC. Starting exe Files like Installation Files or even my context Menu on rar Files on my Network Drive would create a Warning Popup telling me that it is insecure and if i know what i am doing.

At first i did not have much time so i did not really care but today it was getting really on my nerves. So i thought about who could be responsible ... a security update? No, ... but i updated to IE 7 last year and it is common knowledge that IE has some power over the Windows Explorer.

So i looked into the Options of IE and found a Security switch in the Tab Security in the Options of Internet which is called something like Misc->Start Applications and unsafe Files (since i have a German Version it is called something different). After i changed this to yes i got no more messages anymore.

But IE7 is going nuts that it is now insecure and wants to change that Switch every time i start IE.

First: Why the hell is a Web Browser changing rules for my Operating System?!! And Second: Why is my Network Drive now in the Internet Group?

Ok i found this site: http://polemic.hostingdirect.co.nz which tells you how to add your server to the intranet security options in IE7.

Still i think that a Web Browser should not be able to change my OS Settings.