oozie's blog

Inspiration for veggie meals

2012-01-02T15:54:00.004Z

If you're looking for veg cooking ideas, consider adding the following gadget to your iGoogle page or some other personalized dashboard. The gadget presents a new vegetarian or vegan meal suggestion every 24 hours and the user can click-through to the recipe.

Click here for instructions on embedding it from http://vegidea.org/.

Learn natural English with daily Collocations

2011-12-18T13:05:00.004Z

Collocations are best defined by Christopher Manning & Hinrich Schütze:

A COLLOCATION is an expression consisting of two or more words that correspond to some conventional way of saying things. Or in the words. (Read the full text here paper)

Collocations of words make the language sound "native" and other combinations may cause it to sound unnatural. The new collocations.ooz.ie service helps English learners absorb the natural language faster through visual representation of collocations. Take a look:

The word being the subject of collocation analysis is placed in the yellow ellipse.
Words in rectangular boxes are collocating words.
The thickness of the line linking two words implies the strength of their collocation in terms of the subject word.

For more, subscribe to the feed on

http://collocations.ooz.ie/

Python issublist()

2011-12-12T18:52:00.002Z

An inefficient yet basic and mostly sufficient implementation of a Python function asserting that elements of one iterator are a sublist another's.

def issublist(a, b):
    sep = '\xC0\xFF\xEE'
    a_str = '%s%s%s' % (sep, sep.join(['%s' % e for e in a]), sep)
    b_str = '%s%s%s' % (sep, sep.join(['%s' % e for e in b]), sep)
    return a_str in b_str

http://rozhlas.ooz.ie/ - Český Rozhlas live stream czech

2011-10-23T14:06:00.001+01:00

A webapp looking up M3U and XSPF streams for Czech National Radio channels

http://rozhlas.ooz.ie/

A Finite State Machine module for Python

2011-05-19T00:56:00.005+01:00

In preparation for yet another maths exam I created a Python module for modeling, building and describing finite-state automata. I used it for doing my homework assignment and got a nice enough score. The following transducer (my homework) describes the operation of a microwave oven. Green - current state; blue - possible transitions from the current state.

The python-fsm project is hosted at

http://code.google.com/p/python-fsm

where more examples and some docs can be found.

Python exec module in namespace, an importless import.

2011-03-24T13:57:00.001Z

The following code demonstrates how to import a Python module into a namespace if the module file does not end with ".py" extension, contains dots or the filename is established during execution. It might be useful for unit testing of scripts of which path is known but which can't be imported directly in the testing module.

I assume that module's name is "module.filename.py.txt", the content follows.

# module.filename.py.txt
def hello():
    for i in range(3):
       print 'oO',
    print

The interactive interpreter:

Python 2.6.5 (r265:79063, Jun  3 2010, 14:39:13)
[GCC 4.1.2 20090703] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> class Module(object):
...     """Module object."""
...     def __init__(self, ns_dict):
...         """Populate the module."""
...         self.__dict__ = ns_dict
...
>>> mod_filename = 'module.filename.py.txt'
>>> mod_ns_alias = 'mymodule'
>>> source = open(mod_filename).read()
>>> module_code = compile(source, mod_filename, 'exec')
>>> mod_ns = {}
>>> exec module_code in mod_ns
>>> exec('%s = Module(mod_ns)' % mod_ns_alias)
>>>
>>> mymodule.hello()
oO oO oO
>>>

Google Questions SOAP service

2011-03-20T01:20:00.003Z

I launched a Google Questions SOAP service via on Google Appengine using a method described here. One can now fetch a list of questions frequently typed in the Google search box via the PeopleAsk.ooz.ie UI and programatically, a SOAPpy example follows:

In [1]: import SOAPpy
In [2]: client = SOAPpy.SOAPProxy('http://peopleask.ooz.ie/soap', 
                                  'http://peopleask.ooz.ie/')
In [3]: client.GetQuestionsAbout('god')
Out[3]: 
['does god exist',
 'does god love me',
 'does god hate me',
 'do god and satan talk',
 'does god love everyone',
 'does god answer prayers',
 "where is god when bad things happen"]

A circular graph of Python 2.7 Types.

2011-03-19T18:17:00.000Z

Generated in graphviz from Python.asdl (Python2.7)

Python logging: extending standard logger by custom debug levels.

2011-03-17T16:03:00.000Z

In a recent discussion I advocated for using standard loggers instead of reinventing the square wheel with a custom pretty-printer. Python's logging module is comprehensive enough and comes with 5 default loglevels (debug, info, warning, error and critical). Additionally, it allows for adding your own custom loglevels with addLevelName and invocation of logging.log(customlevel, message). It is also possible to bind custom logging methods to the logger object if the need arises. This should probably never be practiced, but is nevertheless possible, see the code snippet:

import logging

def debug_factory(logger, debug_level):
    def custom_debug(msg, *args, **kwargs):
        if logger.level >= debug_level:
           return
        logger._log(debug_level, msg, args, kwargs)
    return custom_debug    

mylogger = logging.Logger('my-logger')
ch = logging.StreamHandler()
formatter = logging.Formatter("%(asctime)s - %(funcName)s - %(levelname)s - %(message)s")
ch.setFormatter(formatter)
mylogger.addHandler(ch)

for i in range(1,5):
    logging.addLevelName(logging.DEBUG+i, 'DEBUG%i' % i)
    setattr(mylogger, 'debug%i' % i, debug_factory(mylogger, logging.DEBUG+i))

def from_this_function():
    mylogger.debug('test')
    mylogger.debug1('test2')
    mylogger.debug2('test3')

def from_that_function():
    mylogger.debug('test4')
    mylogger.debug1('test5')
    mylogger.debug2('test6')
    mylogger.debug3('test7')
    
def from_another_function():
    mylogger.debug('asdasd')
    mylogger.debug1('agasdf')
    mylogger.debug2('adasdfa')
    mylogger.debug4('asdfa')
    mylogger.warning('blah')

mylogger.setLevel(logging.DEBUG)
from_this_function()    
mylogger.setLevel(logging.DEBUG+1)
from_that_function()    
mylogger.setLevel(logging.DEBUG+2)
from_another_function()

http://sole.ooz.ie/ - Solving Systems of linear equations

2011-01-03T22:52:00.000Z

In preparation for the upcoming algebra exam I wrote up a webapp which solves 3x3 systems of linear equations using notation similar to the one expected from us in the exam. Kinda handy for verifying hand-written calculations and tracking down where mistakes are made:

http://sole.ooz.ie/

Transpositions in Sicilian Defense

2010-12-26T20:53:00.000Z

A graph of most fundamental transpositions in Open Sicilian Defense. It is by no means complete but it does show the idea.

Finding all successors of a node with pygraphviz

2010-12-10T00:39:00.006Z

pygraphviz.AGraph class implements the successors method for finding first level successors of a given node.

g.successors('a') returns ['b', 'c', 'd', 'z']

Sometimes a need arises to find all the successors of all successive nodes as well. The class can be extended to allow for this behavior. The following example illustrates this by extending the base class with all_successors method

#!/usr/bin/python

import pygraphviz as pgv

class Graph(pgv.AGraph):
    def __init__(self, **kvargs):
        pgv.AGraph.__init__(self, **kvargs)
        self.__successors = None
    def all_successors(self, node):
        self.__successors = []
        start_node = self.get_node(node)
        def recur_successor(node):
            node_successors = self.successors(node)
            for s in node_successors:
                if s not in self.__successors:
                    self.__successors.append(s)
                    recur_successor(s)

        recur_successor(start_node)

        return self.__successors

g = Graph(directed=True)

g.add_edge('a', 'b')
g.add_edge('a', 'c')
g.add_edge('a', 'd')
g.add_edge('d', 'e')
g.add_edge('e', 'f')
g.add_edge('x', 'b')
g.add_edge('a', 'z')
g.add_edge('r', 's')
g.add_edge('b','c')

g.draw('s1.png', prog='fdp')

print g.successors('a')
print g.all_successors('a')

related_to_a = g.all_successors('a')
related_to_a.extend('a')
for n in g.nodes():
    if n not in related_to_a:
        g.delete_node(n)

g.draw('s2.png', prog='fdp')

g.all_successors('a') returns ['b', 'c', 'd', 'e', 'f', 'z']

'r' and 's' are not related to 'a' at all and 'x', although it's a predecessor of 'b' it is not a successor of 'a'.

http://huffman.ooz.ie/ - Huffman Tree Generator

2010-11-30T22:47:00.001Z

Huffman Coding is a lossless data compression algorithm that builds weight-ordered binary tree of characters from a text and assigns each character a corresponding binary code value. The binary code depends on occurrence frequency of each character. This webapp is generating Huffman Trees out of short text snippets.

Generate your own at

http://huffman.ooz.ie/

PeopleAsk.ooz.ie - A fresh blend of top-most questions to Google

2010-10-25T00:18:00.004+01:00

I've just published the first version of PeopleAsk webapp. It takes a commonly googled term as input and presents the user with a list of bewildering tangles that thousands, if not millions, of people around the world try to solve fighting a battle in the war with confusion. Check of men, women, Iraq or Fox News and you'll know exactly what I mean.

http://PeopleAsk.ooz.ie/

Command line BBC news reader.

2010-04-29T20:58:00.002+01:00

My BBC RSS feed XML parser:

#!/usr/bin/env python
"""
Command line BBC News reader, by oozie <root ooz ie>

$ ./bbcnews.py
"""
import urllib2
from xml.parsers import expat

GREEN = '\x1b[32m'
BLUE = '\x1b[34m'
NORMAL = '\x1b[30m'

BBC_NEWS_RSS = 'http://newsrss.bbc.co.uk/'+\
               'rss/newsonline_world_edition/front_page/rss.xml'

class NewsItem(object):
    """Class representing a news item."""
    category = None
    description = None
    link = None
    title = None
    def summary(self):
        """Summarize news item in color."""
        return '%s%s: %s%s %s%s' % (BLUE, self.title,
                                    GREEN, self.description,
                                    NORMAL, self.link)
    def headline(self):
        """Print news item title and corresponding link."""
        return '%s%s %s%s' % (BLUE, self.title,
                              NORMAL, self.link)

def get_news(rss_feed):
    """Get a list of news items."""

    class _CurrentData(object):
        """Class holding a set of current attributes."""
        item = None
        text = None

    def _start_element_handler(name, attrs):
        """Handle XML start-elements."""
        if name == 'item':
            # Allocate a new item.
            current.item = NewsItem()

    def _end_element_handler(name):
        """Handle XML end-elements."""
        if name == 'item':
            news_items.append(current.item)
        elif name in ('title', 'description', 'link', 'category'):
            try:
                setattr(current.item, name, current.text)
            except AttributeError:
                # The parser has run into a non-news item.
                pass

    def _char_data_handler(data):
        """Handle XML element character data."""
        current.text = data

    news_items = list()
    current = _CurrentData()

    parser = expat.ParserCreate()
    parser.StartElementHandler = _start_element_handler
    parser.EndElementHandler = _end_element_handler
    parser.CharacterDataHandler = _char_data_handler

    news_handle = urllib2.urlopen(rss_feed)
    xml_data = news_handle.read()

    parser.Parse(xml_data)

    return news_items

if __name__ == '__main__':

    for news_item in get_news(BBC_NEWS_RSS):
        print news_item.summary()

Python code to recognize a color of a chessboard square

2010-01-24T08:57:00.003Z

def chesssquare(square):
   """Return the color of a chessboard square."""
    rank,file=square
    return ord(file) & int(rank) & 1 and 'black' or 'white'

In [1]: chesssquare('a1')
Out [1]: 'black'

In [2]: chesssquare('A2')
Out [2]: 'white'

Colorful output in expect.

2009-11-28T22:59:00.003Z

If you want to change shell color attributes from expect make sure that you escape at least the first three characters of the ANSI color sequence. This is necessary due to the way expect interprets strings. For instance, if you try to declare the red color sequence like this:

set red "\x1b[1;31;40m"

expect will think that you forgot to close the square bracket. If you escape the square bracket and continue like this:

set red "\x1b\x5b1;31;40m"

expect will think that the following "1" belongs to the preceding"\x5b". The following trick can be used to quickly convert an un-escaped string to a fully hex-escaped one:

$ export RED="\x1b[1;31;40m"
$ python -c "print ''.join([r'\x%x' % ord(c) for c in \"$COLOR\"])"
\x1b\x5b\x31\x3b\x33\x31\x3b\x34\x30\x6d

ANSI sequence strings escaped this way can be further used in except scripts.

#!/usr/bin/env expect

# Colorful output from expect.
# Slawek Ligus

proc stripe_write {text} {
# This procedure prints every second character of a given
# string argument $text in red.

# RED="\x1b[1;31;40m"
set red "\x1b\x5b\x31\x3b\x33\x31\x3b\x34\x30\x6d"
# NORMAL="\x1b[1;0;40m"
set normal "\x1b\x5b\x31\x3b\x30\x3b\x34\x30\x6d"
for {set i 0} {$i < [string length $text]} {incr i 2} {
puts -nonewline "$red[string index $text $i]"
puts -nonewline "$normal[string index $text [expr $i+1]]"
}
puts -nonewline $normal
}

stripe_write " Expect in color. \n"
stripe_write " http://blog.ooz.ie/ \n"
stripe_write "=====================\n"

Network Security with OpenSSL - exercises.

2009-11-01T00:08:00.005Z

Set of exercises to the book of Network Security with OpenSSL by J. Viega, M. Messier, P. Chandra.

Explain the following terms: SSL, TLS, CA, CRL, OCSP, PKI, PRNG
List goals of cryptography.
What is the difference between symmetric and public key encryption?
List three cryptographic hash functions. What are their strengths and weaknesses?
Explain what the term "digital signature" means.
What are the challenges of SSL?
Build OpenSSL from source.
Use openssl to compute SHA1 and MD5 message digests for a given file.
Encrypt and decrypt a file using 3DES.
Generate parameters for Diffie-Hellman key exchange.
Create a pair of DSA and RSA keys.
What is the major difference between RSA and DSA?
Explain the purpose of a CRL.
What are Certificate extensions and how to use them?
Do some research about OCSP (RFC2560)
Create a CA environment.
Generate a self signed certificate.
Generate a certificate request.
Issue a few certificates from certificate requests.
Revoke some of the generated certificates.

Retrieve HTTPS certificates of some of the Internet giants, e.g.

$ echo|openssl s_client -connect www.google.com:443|\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.txt

Print the certificate in the text form
```
$ cat cert.txt|openssl x509 -text
```

Install encrypted Gentoo in no time.

2009-09-23T13:42:00.011+01:00

Having a spare moment I decided to revisit my older post about installing encrypted Gentoo Linux as fast and easy as possible. That post is well out of date and the scripts were not working anymore as pointed out by a kind anonymous reader. So over the last two days I worked out a new/better way of installing an encrypted base Gentoo,

http://ooz.ie/cryptogen.sh

it's a single shell script using dialog for ncurses interface (included on the mini-install DVDs). It's configuration is contained in the header, just under the LICENSE.

The installation process goes as follows:

Boot off the Gentoo MINI-install CD for your architecture and download cryptogen.sh
You can customize the settings contained in the header of the script, most users however, will be just happy to run it.
Follow the instructions.

Enjoy!

Timestamp converter powered by Google AppEngine

2009-07-30T10:19:00.008+01:00

I wrote a semi-useful AppEngine application, a Unix/AD-LDAP timestamp converter. It's approximately 130 lines of code, plus an HTML template.

http://timestamp.ooz.ie/

It converts Unix and Active Directory/LDAP timestamps to human readable UTC strings. It does it also from the command line...

sms_exec.py - SMS controlled POSIX machine.

2009-07-19T18:26:00.004+01:00

I have just released the beta of PyHumod 0.02 with improved event handling. It comes with a sample application, sms_exec.py, that allows the user to execute remote commands on a POSIX system by sending an SMS into the modem, that subsequently is interpreted by the shell on the privileges of the user running sms_exec.py.

PyHumod 0.01 beta is out!

2009-06-27T19:52:00.004+01:00

Installation

$ wget http://pyhumod.googlecode.com/files/pyhumod-0.01-beta.tar.gz
$ tar xzf pyhumod-*.tar.gz
$ cd humod-*
$ sudo python setup.py install

Basic usage

For most users the following should work:

$ python
Python 2.5.4 (r254:67916, May 21 2009, 22:07:14)
[GCC 4.1.2 (Gentoo 4.1.2 p1.0.2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import humod
>>> m=humod.Modem()
>>> m.show_model()
'E270'
>>> m.enter_text_mode()
>>> m.send_text('+353?????????', 'hello world')
52
>>> m.connect()
>>> m.disconnect()

Visit http://pyhumod.googlecode.com/
and http://pyhumod.ooz.ie/

Find Huawei interfaces on Linux

2009-06-20T11:50:00.009+01:00

After two years of null-activity in the area of Huawei devices I'm resuming the work. Right now I'm in a process of coding a python package, PyHumod, that will talk to Huawei (and compatible) modems. I've just jotted a detection tool for Huawei interfaces on a HAL-enabled Linux.

Run it as follows:

$ python find_huawei_iface.py

It should come up with something like that as response:

5 Huawei interfaces detected.
    E220 HSDPA Modem : /dev/ttyUSB4
    E220 HSDPA Modem : /dev/ttyUSB3
      E620 USB Modem : /dev/ttyUSB1
      E620 USB Modem : /dev/ttyUSB2
      E620 USB Modem : /dev/ttyUSB0

Tested on Huawei E220, K3520 and E270. It's meant to work with all models.

#!/usr/bin/python
# 
# Copyright (c) 2009, Slawek Ligus 
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#    * Redistributions of source code must retain the above copyright
#      notice, this list of conditions and the following disclaimer.
#    * Redistributions in binary form must reproduce the above copyright
#      notice, this list of conditions and the following disclaimer in the
#      documentation and/or other materials provided with the distribution.
# 
#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS
#  OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
#  ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 
#  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# 

"""find_huawei_iface.py finds active USB huawei interfaces."""

import dbus

BUS_NAME = 'org.freedesktop.Hal'
MGR_OBJ = '/org/freedesktop/Hal/Manager'
HAL_DEV_IFACE = 'org.freedesktop.Hal.Device'
HAL_MGR_IFACE = 'org.freedesktop.Hal.Manager'

bus = dbus.SystemBus()

def find_huawei_devices():
    """Find Huawei devices."""

    # Huawei vendor ID
    vendor_id = '12d1'
    hal_mgr_obj = bus.get_object(BUS_NAME, MGR_OBJ)
    hal_mgr = dbus.Interface(hal_mgr_obj, HAL_MGR_IFACE)
    all_dev = hal_mgr.FindDeviceByCapability('serial')
    devices = list()
    for device in all_dev:
        if vendor_id in device:
            devices.append(device)
    return devices

def get_hal_info(udi):
    """Return Huawei interface name and short description."""

    hal_dev = bus.get_object(BUS_NAME, udi)
    dev_property = hal_dev.GetProperty
    serial_port = dev_property('serial.device', dbus_interface=HAL_DEV_IFACE)
    info_product = dev_property('info.product', dbus_interface=HAL_DEV_IFACE)

    return info_product, serial_port

def main():
    """Find Serial interfaces for Huawei USB modems on a system."""

    devices = find_huawei_devices()
    if devices:
        l = len(devices)
        print '%s Huawei interface%s detected.' % (l, l > 1 and 's' or '')
        for dev in devices:
            print "%20s : %s" % get_hal_info(dev)
    else:
        print 'No Huawei devices found.'

if __name__ == '__main__':
    main()

Cloud Computing - Another paper from Sun Microsystems

2009-06-18T00:50:00.002+01:00

Sun has an annoying habbit of advertising white papers as "free" and then pointing you to a link with a survey, where they want you to fill out some stuff about your personal situation, current job status (including the company as a *required field) and some other similar pieces of information that you otherwise don't feel like sharing. Once you submit your factual or fictional data you'll discover that it wasn't necessary but Sun failed to inform you about it in time. Anyhow, have an interesting read without giving them your personal data:

https://www.sun.com/offers/docs/CloudComputing.pdf

Listening to technical presentations.

2009-06-03T10:18:00.005+01:00

My reception of technical presentations can vary depending on how well I'm prepared. Things I'm going to list might seem obvious at first, oh yeah you know them all, but the tricky part is to actually do it.

When going to a technical presentation...

Make sure you understand the jargon.
Collect the vocabulary that is related to the subject and might pop up in the talk. Search through related mailing list archives or just lurk on one of them.
Have a general understanding of how stuff works.
Familiarize yourself with the programming language, protocol or product that the presentation is about. Most importantly, look at other languages, protocols and pieces of software designed to do more/less the same thing and try to compare the differences.
Try to stay focused during the presentation. If you lose concentration only for a split second you might get out of sync which turns out to be a little discouraging.
Take bullet point notes during the presentation, expand them afterwards.
Always follow up with some hands-on exercise, e.g. install the software, set up the network configuration, do some coding.

Virtualization for Dummies from AMD and Sun.

2009-05-30T21:50:00.004+01:00

Sun Microsystems asked me to fill a survey for them and as a reward I would download Virtualization for Dummies e-book. They didn't mention, that it's publically available on their website, I'm not sure if they mentioned that it's a part of the Sun+AMD marketing campaign (if they had done that I'd like to see the results of the survey). Anyway, might be an interesting read and it's only 50 pages long (of which you should and will skip the first 9 pages full of marketing crap). Help yourselves:

http://www.sun.com/systems/virtualization-for-dummies.pdf

Thoughts on troubleshooting methodology...

2009-05-27T12:03:00.016+01:00

I never thought I could have any problems troubleshooting IT stuff, especially since it's been my day-to-day job for the last 3 years. However, not so long ago I was asked a couple of troubleshooting scenario questions in an interview and while I had the right feeling about the solution I still failed to break the problem down theoretically and when the time was up the interviewer didn't seem impressed with me (this is probably a nice way of putting it). I said to myself 'no big deal', as having my hands on the actual problem in the real world I would probably have had it solved in no time.
Or would I? Maybe yeah, but certainly without the 'no time' factor.
It got me thinking about how intuitively I have been doing my job sofar and that it's actually not the right approach for a troubleshoot professional. I decided I needed some structure, and here it is. I'd like to share my thoughts with you:

Problem identification and data collection.
- If someone reported the problem, ask the reporter precise questions:
  - What's wrong?
  - When did it happen for the 1st time? (If relevant, where?)
  - Did you change something just before the occurence? If so, what?
  - Is the problem persistent or intermittent?
  - Are you aware about other people experiencing the same issue?
  - Have you tried any workarounds?
- What does an Internet search return? Maybe a fairly common issue globally?
  What does your internal knowledge base return? Maybe a fairly common local issue?
- What is the scope of the problem. Local? Global?
Reproducing a problem.
- Where possible, create a test environment.
- Try to reproduce the bug. If succesfully reproduced, on Unix-like systems truss and strace are irreplaceable for runtime executable analysis. Similar tools for Windows are available too.
Analysis.
- Visualize. Draw all the components and try to figure out visually where the problem might be hidden.
- Try to understand the potential dangers.
- Make a thorough research and refer to technical documentation.
- It is crucial that you understand the terminology.
Isolating the issue.
- Rule out factors that have nothing to do with the problem, but don't just assume - make sure they don't.
- Test the problem under many different conditions. Change one or two conditions at a time.
Suggest and apply fixes.
- Always make a backup of any important data that can be lost.
Escalate where appropriate.
Understanding and verifying the solution.
- Make sure you understand what's going on before moving on to conclusions.
Creating Documentation!
- Document your findings in order to avoid effort duplication. Describe the symptoms, error messages and the solution and publish them somewhere. Try to organize your knowledge base so that finding information is easy after you get the same problem in after 6 months time...

IPv6 on Gentoo.

2009-05-24T12:18:00.004+01:00

If you've got IPv6 connectivity on Gentoo Linux, you may want to set some applications to prefer IPv6 over IPv4 addresses. This way, if both IPv4 and IPv6 addresses are returned from the DNS server, the application will go with the latter.

Add ipv6 to the default USE flags in /etc/make.conf. Otherwise the applications built by emerge, will not necessarily be IPv6 aware.
wget
Edit /etc/wget/wgetrc file and uncomment the following setting:
```
#/etc/wget/wgetrc
# [...]
prefer-family = IPv6
# [...]
```
Consequently, /usr/bin/emerge which uses wget as download engine, will try to pull the traffic via IPv6 first if only the DNS server of your mirror returns an IPv6 address.
rsync
Edit /etc/conf.d/rsyncd and add --ipv6 to the RSYNC_OPTS variable.

IPv6 Google Search Firefox Plugin

2009-05-03T15:09:00.006+01:00

If you already have IPv6 connectivity you should consider pointing your Firefox to http://IPv6.Google.com instead of www.google.com as your default Search Engine.

Google provides IPv6 Google search as of 5/13/2008, as we read from the official blog:

Official Google Blog: Looking towards IPv6

You can do it with this OpenSearch compliant Firefox Search Plugin

IPv6 Google Search.

Search is performed over IPv6, but the search suggestions go over IPv4 network.

It's issued under GPLv3.
THERE IS NO WARRANTY FOR THE PLUGIN. IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PLUGIN IS WITH YOU. SHOULD THE PLUGIN PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Troubleshooting tips:

"Failed to Connect" in Firefox - your computer can resolve ipv6.google.com DNS address but can't find the route to the host.
Solution:
1. Get an IPv6 connection. Start here, and move on to opening an account with a tunnel broker (e.g. SixXS.NET)
"Address Not Found" in Firefox - your computer can't resolve the ipv6.google.com DNS address.
Solution:
1. Go to about:config in the address bar of Firefox and make sure that network.dns.disableIPv6 is set to False
2. Check your DNS settings.

Please ask your questions in the comments.

A simple javascript test for IPv6 connectivity.

2009-05-03T13:52:00.007+01:00

JavaScript test for IPv6 connectivity to IPv6.google.com.

/*
 * http://blog.ooz.ie/2009/05/test-for-ipv6-connectivity.html
 *
 * A simple test for IPv6 connectivity to http://ipv6.google.com/
 *
 */

function loadOK() {
// Image loaded OK.
alert('Success. IPv6 connectivity to Google detected.');
}

function loadError() {
// There was an error loading an image.
alert('Error. No IPv6 connectivity to Google.');
}

var GoogleV6Logo = new Image();
GoogleV6Logo.onload = loadOK;
GoogleV6Logo.onerror = loadError;

GoogleV6Logo.src = "http://ipv6.google.com/intl/en_ALL/images/logo.gif";

Trivial encryption with coreutils

2009-03-02T00:36:00.004Z

We all know /bin/tr and /bin/dd, two very powerful tools, both are part of Linux' coreutils. Combined together by a Unix pipe they become even more powerful, here is how.

ROT13

Rot13 is a simple substitution cipher. It consists in shifting each character of the alphabet 13 places to the right. If a character goes beyond the original Z place, it is moved to the beginning of the alphabet and continues shifting from there. Effectively all characters are moved by 13 places, so that the alphabet starts now with N instead of A and ends with M instead of Z.

Substitution ciphers are considered weak, because they are prone to pattern matching and statistical attacks. It is good enough to hide the contents of the message from human eyes at the first glance. /bin/tr is a Linux core tool that can be used to translate the alphabet into it's rot13 equivalent.

$ tr A-Za-z N-ZA-Mn-za-m
hello world
uryyb jbeyq
^C
$

ENDIANNESS

This feature comes to us thanks to diversity of computer hardware. Little-endians address the 16-bit values in memory differently from from Big-endians, what sometimes causes incompatibility issues. Here /bin/dd comes comes to rescure with it's conversion flag:

$ dd conv=swab bs=1
hello world
ehll oowlr
d^C12+0 records in
12+0 records out
12 bytes (12 B) copied, 13.3088 s, 0.0 kB/s

Byte swapping is not an encryption method in itself, because swapped bytes in a word are still readable. An interesting thing about the swap, however, is the fact that if a human readable sentence delimited by spaces is byte-swapped the words, while still somehow readable, change the length.

TRIVIAL ENCRYPTION CYPHER
The fact that the two converisions named above are absolutely independent from each other allows us to combine them together. A message encrypted this way is a little less likely to be decoded with a statistical or pattern matching algorithm.

$ cat secret|tr A-Za-z N-ZA-Mn-za-m|dd conv=swab
uG rrfepgrz frnfrts ybbyfj
!0+1 records in
0+1 records out
28 bytes (28 B) copied, 0.00179017 s, 15.6 kB/s

% percent string formatting in Python

2009-02-20T23:27:00.004Z

Playing around with string formatting in Python I made an interesting discovery. Python supports extended string formatting similar to the one introduced in C, but much more powerful. It does it by means of using a % (percent) sign optionally followed by name in brackets (which can be a dictionary key), formatting flags, unit width, a dot with precision point and finally mandatory character code for formatted unit's type. General definition looks as follows:

'preceding text %[(key)][flags][width][.precision point] following text' % value

and if you want to feed a string with a literal percentage sign you use '%%' (double percentage)... but there is a catch! The double-percentage rule is only valid for strings that are about to be injected values by format strings; strings that are not meant to be formatted should contain only one percentage sign to reach the same outcome. In other words the following lines of code produce the same output:

print '%% %s' % 'hello'
print '% hello'

whereby

print '%% %s' % 'hello'
print '%% hello'

causes the second line to print out the percentage sign twice, and

print '% %s' % 'hello'

is wrong and errors out with 'TypeError: not all arguments converted during string formatting'. This behaviour is diffrent from the C one, where all strings, formatted or not are treated equally.

[0x04]. Notes on Assembly - The fairytale of an x86 CPU

2008-09-21T22:37:00.024+01:00

FLAGS	EIP	ESP	EBP
CS	DS	ES	SS
FS	GS	ESI	EDI
EAX	EBX	ECX	EDX

A 32bit x86 has 16 registers, divided in 6 groups respectively:
- 1 x EFLAGS register
- 1 x Instruction Pointer
- 2 x Stack Pointing Registers
- 6 x Segment Registers
- 2 x Index Registers
- 4 x General Purpose Registers
The registers are assigned specific roles:
- EFLAGS register (Extended FLAGS register is a 32bit version of the 16bit FLAGS) contains the state of current processor. Only 18 out of 32 flags have a meaning assigned.
- EIP - Extended Instruction Pointer points to the next instruction memory address in the Fetch-Execute cycle.
- ESP - Extended Stack Pointer - points to the top of the stack. You can see how it grows down on an x86 architecture in the following example: stack_pointer.c
- EBP - Extended Base Pointer - points to the base of the current Stack Frame. If you assemble func.c as follows:
```
$ gcc -S func.c -o func.s
```
  and take a look into func.s file, the f() function will be translated to some thing like that:
```
f:
pushl   %ebp  
movl    %esp, %ebp
subl    $16, %esp
movl    $11, -16(%ebp)
movl    $22, -12(%ebp)
movl    $33, -8(%ebp)
movl    $44, -4(%ebp)
leave
ret
```
  1. Line one saves the old EBP
  2. Old ESP becomes new EBP
  3. Increasing the stack by the size of 1 paragraph
  4-7. Saving local variables in the stack frame locations relative to EBP
- ?S - Segment Registers
  - CS, Code Segment
  - DS, Data Segment
  - SS, Stack Segment
  - ES, Extra Segment
  - FS, another Extra Segment
  - GS, another Extra Segment
- Extended Index Registers, used for array operations (e.g. strings, which are arrays of bytes)
  - Source Index
  - Destination Index
- Extended General Purpose Registers
  - EAX - accumulator, used for storing intermediate results of I/O access, interrupts or arithmetics.
  - EBX - base register, used for addressing
  - ECX - counter, used in loops and countdowns.
  - EDX - data register

[0x03]. Notes on Assembly - Memory from a process' point of view

2008-09-14T02:08:00.024+01:00

In-depth memory layout is specific to both the CPU architecture and the OS itself. I'm going to describe how a process sees its own memory share during execution.

Memory Layout from a process perspective

When a program is executed it is read into memory* where it resides until termination. The code allocates a number of special purpose memory blocks for different data types. A very common scheme, but not the only one, is depicted in the following table.

*that's why a statement that the size of your binary does not influence the memory use is not true. Programs static code is read into the lower part of memory.

Stack

a very dynamic kind of memory located at it's top (high addresses) and growing downwards

Memory not allocated yet

Memory that will soon become allocated by the stack, that grows down. Stack will grow until it hits the administrative limit (predefined).

Administrative limit for the stack

Shared Libraries

Administrative limit for the heap

Memory not allocated yet

Memory that will soon become allocated by the heap growing up from underneath.

Heap

It is said that this is the most dynamic part of memory. It is dynamically allocated and freed in big chunks. The allocation process is rather complex (stub/buddy system) and is more time consuming than putting things on stack.

BSS

Memory containing global variables of known (predeclared) size.

Constant data

All constants used in a program.

Static program code

Reserved / other stuff

In order to prove that things work this way (on many systems anyway) I wrote a C program, mem_sequence.c, that allocates 5 types of data, finds their location the (virtual) memory address, sorts them in descending order and then displays presenting a similar output to the table above. mem_sequence.c is tested on Linux, FreeBSD, MacOS X, WinXP and DOS. All UNIX-like systems preserve a similar model with slight differences in address thresholds, the output from Microsoft systems is different and hence interesting.

This is how you use mem_sequence:

$ gcc mem_sequence.c -o mem_sequence
$ ./mem_sequence
1.(0xbf828124) stack
2.(0x0804a008) heap
3.(0x080497d4) bss
4.(0x08048688) const's
5.(0x08048557) code
^Z
[1]+  Stopped                 ./mem_sequence
$ cat /proc/`pidof mem_sequence`/maps
08048000-08049000 r-xp 00000000 fd:01 313781     mem_sequence
08049000-0804a000 rw-p 00000000 fd:01 313781     mem_sequence
0804a000-0806b000 rw-p 0804a000 00:00 0          [heap]
b7dda000-b7ddb000 rw-p b7dda000 00:00 0
b7ddb000-b7efe000 r-xp 00000000 fd:01 4872985    /lib/libc-2.5.so
b7efe000-b7eff000 r--p 00123000 fd:01 4872985    /lib/libc-2.5.so
b7eff000-b7f01000 rw-p 00124000 fd:01 4872985    /lib/libc-2.5.so
b7f01000-b7f04000 rw-p b7f01000 00:00 0
b7f18000-b7f1b000 rw-p b7f18000 00:00 0
b7f1b000-b7f35000 r-xp 00000000 fd:01 4872978    /lib/ld-2.5.so
b7f35000-b7f36000 r--p 00019000 fd:01 4872978    /lib/ld-2.5.so
b7f36000-b7f37000 rw-p 0001a000 fd:01 4872978    /lib/ld-2.5.so
bf816000-bf82b000 rw-p bffeb000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
$

Let's analyze it:

The code (5) and constants (4) fall into the readable and executable (non-writable!) portion of code.
BSS (3) is enclosed in the read-write but not executable partition.
Heap sits on top of them and is denoted by "[Heap]".
...long long nothing...
Stack at the very top, described as "[Stack]". Yahtzee!

It works, great news, but it works differently on different x86 based Operating Systems. Check it out yourself and please let me know if you make an interesting discovery on some other exotic system.

top	Linux	FreeBSD	MacOSX x86 / PPC	WinXP 32	DOS	AmigaOS 4.1	Vista Home 32bit
1	stack	stack	stack	heap	heap	code	bss
2	heap	heap	heap	bss	stack	heap	const's
3	bss	bss	bss	const	bss	bss	code
4	const	const	const	code	const	const's	heap
5	code	code	code	stack	code	stack	stack

Thanks to Harald Monihart for providing MacOSX PPC data.
Thanks to Anonymous for AmigaOS 4.1 data.

[0x02]. Notes on Assembly - Acquainting oneself with the Memory

2008-08-17T23:47:00.019+01:00

The biggest part of Assembly Language is all about the CPU talking to the main memory. I'm going to dive deep into this subject. Let's start with the memory management so we can smoothly move over to the CPU and understand what different CPU registers were designed for.

For a start read How Computers Work: Processor and Main Memory by Roger Young to understand in more detail how memory addressing and memory IO operations are performed.

Below a list of essential terms connected to memory and its management.

Random Access Memory (RAM)

main operational memory in PC computers. Its characteristic consists in the way the data is accessed (read from or written to), namely just by using electric impulses. (This is very different from other storage mediums, e.g. magnetic tape, where reading data requires mechanical movement of the tape what takes very long and the time of reading some particular data depends on data's physical location on the medium.)
Running programs and their data are read into RAM at execution time.

x86 Processor Modes
Memory is always accessed under a strong supervision of the processor, if not by the CPU itself, hence the CPU controls what mode the memory is accessed in.

Real mode - there original CPU mode introduced with 286 machines. It has a 20bit address space, thus allowing to address 2^20bytes (=1MiB) of memory only. Segments in real more are always 64KiB in size.
Protected mode - due to compatibility reasons, all x86 CPUs start in Real mode (so they can support archaic operating systems like DOS), and can be immediately switched to Protected mode by setting appropriate flags in the registers. Protected mode can enrich the system into additional features, like
- the use of virtual memory,
- 8086 virtual mode,
- privilege levels,
- multitasking
- and others...
Segment sizes can vary.
Unreal mode - this mode breaks the 20-bit addressing limit that exists in real mode and allows to address up to 4GiB of Memory
Long - this mode is available on 64bit processors only. It allows 64bit applications to run 64bit, at the same time 16 and 32 bit apps are switched to compatibility mode and can be executed without problems.

Virtual Memory
On modern operating systems hundreds of processes run at the same time. If you sum up the amount of memory they use at any given time it would exceed the physical RAM amount. This is possible thanks to virtual memory, a technique that tricks running programs into thinking, that they have more RAM memory at disposal than there is factually available. It is done by dumping the memory space of inactive processes into secondary storage. This is called paging. Moreover, Virtual Memory enables Operating Systems to protect and manage memory the way an Operating System is programmed to.

Paging
During this process inactive areas of real memory are dumped onto the secondary storage and used re-read back into RAM when a program calls them.

Segmentation

A relative way (not an absolute way) to address physical memory by a usage of the Segment:Offset notation. Best explained in this article by Daniel Sedory:

Memory Management Unit
a hardware part of the CPU that controls how the CPU accesses memory. Its 4 main functions are:

translating virtual-to-physical addresses;
memory protection;
cache control;
bus arbitration;

... so roughly:

When a x86 computer is turned on, it starts in real mode and can only address the first mebibyte (1024*1024bytes=KiB^2) of RAM. This is more than enough to bootstrap an Operating System.
The Operating System can switch the CPU from real into protected mode.
When in protected mode, the system can take advantage of e.g. memory protection and virtual memory to manage memory resources. It does that under strong supervision of the Memory Management Unit.

http://en.wikipedia.org/wiki/X86
http://en.wikipedia.org/wiki/Memory_management_unit
http://en.wikipedia.org/wiki/Virtual_memory

[0x01]. Notes on Assembly - AT&T vs Intel syntax

2008-08-05T00:15:00.016+01:00

There are two main syntaxes for Assembly Language: AT&T and Intel. The former was invented by AT&T Labs in 1960's and is used on all UNIX-based systems, the original intention was to preserve portability and compatibility between different UNIX flavors. The latter was invented by Intel and is commonly used in MS systems. I have a bit of a chicken'n'egg problem here, as I have no idea who ripped off the most part from the other party but it's not relevant nor important here... The main differences between the syntax are as follows:

Intel	AT&T
Mnemonics are case-insensitive	Mnemonics are lowercase
case insensitive registers in form of AH, ax, Eax	lowercase registers are preceded with % (percent) sign, as in %eax, %ax
Memory operands are prefixed with size accordingly: byte ptr ADDR - 8 bits word ptr ADDR - 16 bits dword ptr ADDR - 32 bits qword ptr ADDR - 64 bits	machine instructions end with one of three possible suffixes: b - for byte w - for word l - for long word q - for quadruple e.g. movl, movw, movb
The programmer first specifies the destination and then the source operand. "mov bx, ax" moves ax to bx	You first specify the source and then the destination operand. "movw %ax, %bx" will move %ax to %bx.
Immediate operands, like numbers or memory addresses, are entered with "h", "b", or no suffix at all for hex, binary or decimal digits respectively	Immediate operands are preceded by $ (dollar sign).
Comment is denoted by a ; (colon)	A comment is denoted by a # (hash)
Jump and call operands are undelimited	Jumps and calls are prefixed by an * (asterisk)

...so that the same C program (main.c), that only returns 0 to the environment would look like this:

AT&T

Intel


.text
.globl _main
_main:
pushl   %ebp
movl    %esp, %ebp
subl    $8, %esp
movl    $0, %eax
leave
ret
.subsections_via_symbols


int main(void){
return 0;
}


[SECTION        .text]
_main:
push    ebp
mov     ebp, esp
sub     esp, 8
mov     eax, 0
leave
ret
.subsections_via_symbols

Sources:
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/gnu-assembler/i386-syntax.html
http://en.wikipedia.org/wiki/Unix

[0x00]. Notes on Assembly - Basic Terms

2008-07-28T12:30:00.024+01:00

Coding with programmatic Lego bricks.

Assembly language is the lowest-level human readable programming language. It consists of a set of instructions that directly manipulate the CPU and memory, thus taking the programmer as close to the core of the machine as it gets. Writing programs in Assembly is like playing with Lego bricks in computing terms and this is probably why I like it so much.

Below I have put together a quick Assembly talk reference, differences between Intel and AT&T syntax, and some good practices. I hope some Assembly virgins may find it useful.

What is what?

Opcode - literally OPeraction CODE, is a numeric value (binary in its original form, but most often represented hexadecimally) that stands for a basic machine instruction, e.g. incrementing one of the registers by 1, an AND instruction and such. The CPU fetches opcodes and executes them according to instruction set architecture provided by the vendor.

Mnemonic - A human-readable nickname for opcodes. Mnemonics are usually from 2-5 characters long (e.g. jz, movsb). Mnemonics, just like opcodes, are specific to the CPU.

Operand - If a mnemonic takes arguments, those arguments are called operands (since they are input values to an operator). In Assembly a valid operand can possibly be a register, a memory address, a constant or a label (which in fact is a memory address). E.g. the instruction "movl %eax,%ebx" has two operands - eax and ebx.

Immediate Operand - a literal (immediate) value, e.g. a numeric constant, like a memory address

Register - a basic data storage space, which can be accessed by CPU extremely fast, due to the fact that it lives in a CPU. The registers can be 64bit (?), 32bit (eax),16bit(ax), and 8bit (ah) in value. A pair of 4bit "nybbles" (byte halves) can be extracted from an 8bit register using ANDing or SHL/SHR tricks.

Paragraph - a 16-byte sized chunk of memory. Main memory is broken down into paragraphs starting from the address of 0000:0000 throughout, marking paragraph boundry every 16 (10h) bytes. In Segment:Offset memory addressing mode, every segment has to start in a position being a paragraph boundry.

Segment:Offset - standard memory addressing notation. Because of the nature Segment:Offset notation is computed, the Segment is denoted by a hexadecimal integer number always starts at a position in memory that is divisible by a paragraph size (16 bytes), so that actual memory address that the Segment points to equals to Segment value * 16. The Offset is a distance measured in bytes from the Segment address to the place in memory that you want to refer to. Please revert to sources section at the end of this post for more details.

Stack - a LIFO queue nested in the upper part of the main memory but ruled by the CPU mainly with push, pop commands.

Stack frame - a data structure in memory (on the stack) containing information about subroutine state.

Local and global labels - in the assembly code you can insert a label at any point by typing a label name followed by a colon. During compilation labels are translated into memory addresses. Global labels start with an alphanumeric character or an _ (underscore) and can be jumped to from any place in the code. Local labels start with a . (dot) character and can be placed after global labels. Local labels can be accessed by jmp instructions only within the code between two global labels.

Sources:
Assembly Language Step-By-Step by Jeff Duntemann
http://en.wikipedia.org/wiki/Operand
http://en.wikipedia.org/wiki/64-bit
http://en.wikipedia.org/wiki/Opcode
Explaination of the Segment:Offset notation by Daniel B. Sedory
http://en.wikipedia.org/wiki/Call_stack

0x08. [LPIC-302] LPIC 117-302 online exam simulation (yes, for free)

2008-07-14T05:35:00.003+01:00

I passed this exam almost two weeks ago. There was some more filling out the gaps that I expected, but the exam itself is never not too hard if you are prepared. It was a good fun and I enjoyed passing all 6 exams. I want to share a little bit of my joy with you with the exam simulation. It contains only 10 questions for now, just to give you a basic idea, but this will change soon (when I only get some time). If you want to suggest a question, please comment, and if it's gonna makes sense I will append it to the test.

As usual, comments are very welcome. I would appreciate your help in tracking any ambiguities/mistakes. Now, I hope it will help you gain some self-confidence before taking the real one. Have fun!

0x07. [LPIC-302] Security and Performance

2008-06-14T14:31:00.004+01:00

Linux File System and Share/Service Permissions
Candidates should understand file permissions on a Linux file system in a mixed environment

From the official Samba Howto, ch. 16, we read:

Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control options provided in Windows are actually ignored.

Note

All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files.

This points us to well known commands of chmod and chown. Refresh their syntax. When it comes to smb.conf file, there are two options of particular importance:

create mask - This option takes an octal value of four digits and sets permissions on Samba-newly-created files accordingly. It can be used in all sections. It's default value is 0744
directory mask - does the same for directories what create mask does for files.

Samba Security
Candidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves

The first move that we take towards Samba security can be hosts allow/hosts deny directives for smb.conf.

hosts allow = 127.0.0.1 192.168.1.0/24
hosts deny = 0.0.0.0/0

The configuration above allows you to access Samba server only from localhost and it's local network.

Similarly, we can go about narrowing down users that are allowed to connect:

valid users = @group, user1, user2

On top of this, access to samba can be restricted based on the interface specified:

interfaces = eth0 ath0 lo
bind interfaces only = yes

In order to block incoming connections to Samba ports with iptables make it drop packets.
[...]

Performance Tuning
Candidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance

While measuring performance two tools will be of particular interest:

netstat, which reports on current network connections and stats
smbstatus, which reports on current samba connections

Socket Options -

Of all the socket options that can be applied to smb.conf file, apperently TCP_NODELAY has the biggest impact on performance. For full reference of Socket Options consult smb.conf

Other Options to smb.conf:

log level - is known to cause drops in performance
read size - sets optimal value for
read raw
write raw
max xmit
max connections
max disk size
max mux
max open files
max print jobs (S)
max protocol (G)
max reported print jobs (S)
max stat cache size (G)
max ttl (G)
max wins ttl (G)

0x06. [LPIC-302] Working with CIFS, NetBIOS, and Active Directory

2008-06-14T14:29:00.018+01:00

CIFS Integration
Candidates should be comfortable working with CIFS in a mixed environment

CIFS features and benefits

SMB/CIFS needs very little configuration to create a basic working system
Integrity and concurrency
Fault tolerance
Optimization for slow links
Security
Performance and scalability
Unicode

At least this is what Microsoft maintains.

In order to use remote CIFS shares from a Linux box, as always, you have a number of options. The first option would be smbclient, with help of which you can traverse the remote CIFS filesystem in an FTP-client style.

# smbclient //sambasrv/pub
Password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28]
smb: \> dir
.                                   D        0  Tue Jun  3 00:47:55 2008
..                                  D        0  Sat May 31 22:50:16 2008
manual.html                         A   112237  Thu Sep  6 06:18:20 2007
00ZIE                                        0  Sat May 31 22:56:40 2008

  55125 blocks of size 2097152. 52360 blocks available
smb: \> mkdir directory
smb: \> dir
.                                   D        0  Mon Jun 16 00:56:08 2008
..                                  D        0  Sat May 31 22:50:16 2008
directory                           D        0  Mon Jun 16 00:56:08 2008
manual.html                         A   112237  Thu Sep  6 06:18:20 2007
00ZIE                                        0  Sat May 31 22:56:40 2008

  55125 blocks of size 2097152. 52360 blocks available
smb: \> get 00ZIE
getting file \00ZIE of size 0 as 00ZIE (0.0 kb/s) (average 0.0 kb/s)
smb: \>

and so on...

The second option would be smbmount (which is exactly the same as mount -t smbfs, but at this stage we know that these options are deprecated and you should use mount -t cifs). Basically you can also mount remote CIFS filesystems.


# export PASSWD=qweasdzxc
# mount -t cifs -o user=oozie //ip.add.re.ss/pub /mnt/
# ls /mnt/
00ZIE  directory  manual.html
#

Following this, a line in /etc/fstab that says:

# /etc/fstab
# [...]
//ip.add.re.ss/pub      /mnt    cifs    credentials=/etc/secret 0 0
# [...]

...will mount the share at startup!

NetBIOS and WINS
Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing

NetBIOS - An API that allows client computers on the same network to communicate. It also lays out guidelines for computer names and their behaviour on a local network. NetBIOS names are registered at system startup.

WINS - is a MS implementation of NetBIOS Name Service (NBNS). WINS server provides name lookups on Windows networks.

On a network without a WINS server domain registration is performed by a UDP broadcast.

Local Master Browser - every NetBIOS enabled machine on a common broadcast domain (subnet) is a potential LMB. It is 'local' because the name registration is done with UDP broadcasts, that don't trespass subnets. A local master browser is elected based on stability criteria, like uptime. A PDC is typically acting as a LMB, but in addition to that it can become a Domain Master Browser. Samba can be configured for being a local master with "local master = yes".

Domain Master Browser - this is typicall a role of a PDC, which collects browse lists from Local Masters and merges it into a domain wide list. It also connects to its primary WINS server to collect DomainName <1b> entries reported by different PDCs.

Samba can be configured to be a domain master with "domain master = yes" in smb.conf.

Elections - a server becomes a DMB by elections. This procedure is detailed in a KB article from Microsoft.

The methods used by MS Windows to perform name lookup requests (name resolution) is determined by a configuration parameter called the NetBIOS node-type. There are four basic NetBIOS node types:

b-node (type 0x01): The Windows client will use only NetBIOS broadcast requests using UDP broadcast.
p-node (type 0x02): The Windows client will use point-to-point (NetBIOS unicast) requests using UDP unicast directed to a WINS server.
m-node (type 0x04): The Windows client will first use NetBIOS broadcast requests using UDP broadcast, then it will use (NetBIOS unicast) requests using UDP unicast directed to a WINS server.
h-node (type 0x08): The Windows client will use (NetBIOS unicast) requests using UDP unicast directed to a WINS server, then it will use NetBIOS broadcast requests using UDP broadcast.

Samba as a WINS server

Configuring Samba to be a WINS is fortunately very easy. The process of doing so requires only two arguments added to the [global] section. Those are:

        wins support = yes
name resolve order = wins lmhosts hosts bcast

where hosts denotes the generic way of how Unix goes about DNS resolution according to /etc/nsswitch.conf. Samba will try to resolve names in the order specified by the second option. In this case, it will look into wins in the first place, then into lmhosts file, will performs a DNS lookup and will try to resolve name based on broadcast information.

WINS replication is a process of copying updated resolution data from one server to another. Refer here for a full explanation from Microsoft. It is not supported by Samba 3.

Samba Tools

smbtree - gathers information about the domains/workgroups available on the network and prints them out in a form of a tree.
findsmb - a perl script that collects information about machines on a subnet that respond to SMB queries
smbclient - a powerful tool to list and browse resources on SMB clients

lmhosts file - in its structure very similar to /etc/hosts, this file maps IP addresses to NetBIOS names.

Integrating with Active Directory
Candidates should be able to integrate Linux servers into an environment where Active Directory is present

Getting a Linux machine on the domain.
You need to tweak two files. As always smb.conf to change "security = ads" and krb5.conf.
Edit your /etc/krb5.conf file and add your realm there. My one looks like this:

--- krb5.conf ---
[realms]
AD.CORP.COM = {
    kdc = dc1.corp.com
}

[libdefaults]
default_realm = AD.CORP.COM
forwardable = true

[domain_realm]
    corp.com = AD.CORP.COM

[appdefaults]
ticket_lifetime = 90000
renew_lifetime = 608400
max_renewable_life = 608400

# [...]
--- krb5.conf ---

Then perform the following to get a valid krb5 ticket from the domain controller:

$ kinit oozie@AD.CORP.COM
Password for oozie@AD.CORP.COM:
$

Now in order to join your machine onto domain do:

$ sudo net ads join
Joined 'HOSTNAME' to realm 'AD.CORP.COM'
$ sudo net ads testjoin
Join is OK

You need to perform this as root or sudo the operations, because secrets.tdb has to be accessible.

Groups and Users
Once you are authenticated and on the domain you can manage users and groups.

# GROUPS
$ net ads group

$

# USERS
$ net ads user
[list of users follows]
$ net ads user info oozie
[groups that oozie is a member of follow]
$ net ads delete username
[removes user from AD]
$ net ads user add username
[adds username to AD]
$ net ads user rename user
[renames a user]

# HOST
$ net ads status
[shows info about your workstation]

# PRINTERS
$ net ads printer search
[dumps info about all the printers in AD]
$ net ads printer info printerName serverName
[info about a particular printer]
$

/*** Work in progress

Knowledge of the DNS requirements for Active Directory

DNS
LDAP
smbcalcs

***/

Working with Windows Clients / know your enemy
Clients should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers

net.exe
Windows' NET command helps you manage all kinds of network resources.

net view - browses and lists NetBIOS enabled computers.
net view \\workstation - shows browsable shares available on a workstation
net time \\workstation - returns the time on a remote computer.
net use [drive letter] [\\server\share] - maps a share to a virtual drive.
net use /delete [drive letter] - disconnects from a share

rdesktop
rdesktop is an opensource RDP client.

References:
http://www.meteck.org/cifs.htm http://www.samba.org/
http://en.wikipedia.org/wiki/Windows_Internet_Name_Service
http://support.microsoft.com/kb/188001

0x05. [LPIC-302] User and Group Management

2008-06-14T14:26:00.013+01:00

Managing User Accounts and Groups
Candidates should be able to manage user and group accounts in a mixed environment

Exploring this chapter some knowledge about SIDs can be useful (See Terms Glossary). Basically every object, be it a group, user, domain or machine has it's SID. Samba provides you with the "net" program to find out about SIDs and not only. E.g.


# net getlocalsid
# net sam show oozie

Users can be added with 'smbpasswd -a' which stores the information about the password in three possible locations:

smbpasswd file, if passdb backend = smbpasswd
TDB file, if passdb backend = tdbsam
LDAP directory, if passdb backend = ldapsam

Mapping users

Since usernames on Microsoft systems can violate the rules applied to Unix usernames, Samba provides the administrator with username mapping functionality. This is independent from the backend used. For translating Windows to Unix usernames Samba can use dictionary file, typically called smbusers, or a script/program that takes the windows username as it's first argument and returns it's Unix counterpart. smb.conf options to achieve that are:

username map = filename
username map script = /absolute/path/to/script

Username map dictionary has a simple syntax of 'map_to_username = map_from'. If the entry is prefixed with &,@ or a + then it makes it a NIS or Unix netgroup.

Samba associates Unix groups with Windows SIDs and this way presents it to Windows clients.
Group attributes can be modified with 'net groupmap'.

smbpasswd cheatsheet

smbpasswd -a = adds a user
smbpasswd -d = disables an account
smbpasswd -e = reenables an account
smbpasswd (without options) = changes user's password
smbpasswd -x = remove account
smbpasswd -n = set accounts password to null value

force user / force group
The options named above force authenticated users to perform operations on the shares as some other users. This is useful, especially in case of 'force group', to either restrict or extend file sharing. Please refer to smb.conf for more details.

Identity mapping (IDMAP)

If Samba operates as a standalone server there is no need for extensive identity mapping, because the users and groups are managed locally. A need for IDMAP facility occures when Samba is a member of

Windows NT4 domain
Active Directory domain
Samba Domain

hence it requires a running instance of winbindd. There is a number of situations for which we deploy the winbind server to help with IDMAP.

Authentication and Authorization
Candidates should understand the various authentication mechanisms and configure access control

Setting up a local password database can be achieved by setting 'passdb backend' to smbpasswd or tdbsam. The former setting will use flat database (text) file of the following format:

username:uid:LM hash:NT hash:flags:last_change

where flags are:

U - a user a account
N - no password
D - account disabled
W - machine trust account

... whereas the latter will store passwords in passdb.tdb.

Password Synchronization

There are many reasons why Samba administrators want Samba users to have a common password for SMB and Unix. Normally, a user has to change her password twice, with Unix passwd command and then with smbpasswd. This will almost certainly not keep consistency between databases. Here is where pam_smbpass.so comes in handy. It is used to keep /etc/shadow and smbpasswd consistent.
Please find examples for pam_smbpass.so config here.

Winbind
Candidates should be able to install and configure the Winbind service

Winbind combines together PAM, NSS and MSRPC and allows "Windows NT domain users to appear and operate as UNIX users on a UNIX machine" (quotation from Samba Howto - Chapter24). It includes two core functalities:

Authentication of users with help of PAM and ntlm_auth program. This comprises:
- obtaining user/group information
- authentication
- password changing
Identity resolution used for IDMAP and maintanance of IDMAP table. winbind stores the mappings into tdb file as it goes along and finds out about new ones.

The main binary lives in /usr/sbin/winbindd or /usr/local/sbin/winbindd. To read the configuration winbind refers to smb.conf. Below is a snippet extracted from Samba howto:

[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = \
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D/%U
template shell = /bin/bash

pam_winbind.so is the PAM module responsible for talking to winbind.

Do not run NSCD on a computer that runs winbindd at the same time. If you do, it will be impossible to resolve domain users and groups for directory system controls.

0x04. [LPIC-302] Samba Advanced Config - DCs, SWAT and Internationalization

2008-05-27T22:58:00.010+01:00

Domain Control

Candidates should be able to setup and maintain primary and backup domain controllers, and manage Windows/Linux clients' access to the domain

To control a domain means to have a central point of command from which the users and machines within the domain can be authenticated and authorized and resources accessed.

There are three main types of domain controllers:

NT4 PDC (P stands for Primary) - This is a server on the network that initiates new domain control database. By definition, the clients should refer to the BDCs prior to consulting a PDC, so it doesn't have to be the strongest machine in your domain.
NT4 BDC (B is for Backup) - synchronizes its authentication database with a PDC and plays a key role in answering authentication requests from the clients. It answers most of the authentications requests from the clients. PDC responds to authentication call only if BDC is heavily loaded.

On a Microsoft network it is possible, that PDC and BDC swap their roles, however, Samba does not implement this feature and PDC/BDC have to be specifically defined (a rather excessive feature anyway). What Samba offers and Microsoft Systems NOT, is the ability to change the role of the server between a PDC, BDC, domain member and a standalone server. The Redmond team tells us to reinstall everytime we want a change.
ADS DC (Active Directory Service DC) - while Samba3 fully supports ADS domain membership, it couldn't act as a full-featured DC. There are some efforts to make it happen, but still in an experimental phase, so officially no support for:
machine policy files, Group Policy Objects, synchronously executed AD logon scripts, AD management tools.

Domain membership

Microsoft Systems can organize themselves on a network in two types of gatherings: Workgroups and Domains.

A workgroup is nothing but an informal organization of computers that employs no security and every machine can become a member just by assigning itself to a particular workgroup (a very common name for a workgroup would be WORKGROUP itself).

A domain is a security organized gathering of computers that involves security machine accounts called Machine Trust Account. A user account with local admin rights can attach a computer onto a domain. During this process a machine account is created on the Domain Controller and is used for further authentication. Benefits of being a part of the domain comprise e.g.:

Single Sign-On for all shares and printers on the domain
Central management of users access control
Ability of desktop profiles and policies usage

When creating machine accounts in Samba we need to remember that they have to be available in /etc/passwd too. The difference between them and normal accounts is the $ (dollar) sign appended to the end of their name. You smbpasswd -a machine account names without the $ sign at the end.

Samba howto explains how to configure a {P,B}DC. Please revert to it and play around.

Roaming profiles
An excerpt from Chapter 27 of Samba Howto:

Roaming profiles allow an administrator to make available a consistent user desktop as the user moves from one machine to another. This chapter provides much information regarding how to configure and manage roaming profiles.

A very useful feature for companies employing a greater number of users than computers and on top of this working in different shifts, so that every now and then a user has to sit at a different computer.

System policies
In order to avoid confusion you need to understand a difference between two things: NT 4.0 System Policies and Group Policy Objects. GPOs are a part of AD, which samba 3 does not support, hence we'll focus on System Policies.
System policies are applied during users logon. Samba client connects to the domain controller and looks for the NETLOGON share. If it's found, the client would look further for ntconfig.pol file and if found and successfully read, it will try to modify clients system registry.
System policies can be modified with help of Policy Editor, provided with WinNT 4.0 SP.

SWAT Configuration

Description: Candidates should be able to install and configure the Samba web administration tool, and be comfortable with configuring changes to Samba within it.

Samba Web Administration Tool is a very handy browser based config file creation tool. It comes with the Samba distribution and is meant to be run from within xinetd, it's main binary lives in /usr/sbin/swat. Once you have your SWAT configured as per Samba Howto, you can access it via http://localhost:901 url in your favourite browser. Don't forget to "smbpasswd -a root" and set its password, otherwise SWAT won't let you in.
SWAT consists of a web-based interface with all the options available in the current version of Samba. With its help you can add shares and printers and tweak their configuration. It also contains a wizard to walk the user through. From the Howto we read:

The purpose of the SWAT Wizard is to help the Microsoft-knowledgeable network administrator to configure Samba with a minimum of effort.

Fair play to the authors for the choice of language and sense of humour.
I'm not going to guide you through SWAT, which however powerful, is easy enough to grasp. Good luck, leaving you to it, but don't worry, because the Samba Howto is really well documented. It describes a simple way to run SWAT over SSL and Internalization support.

Internalization
Candidates should be able to work with internationalization character codes and code pages

Before Unicode was introduced computers in non-English countries used to exchange data using codepages. They are character encoding tables allowing you to use extra characters like the Polish łóżźąęćś. Samba 3 talks Unicode by default and will be understood by WinNT/ME/XP. Older clients, however, will still use DOS charsets, like CP850. This can be customized in smb.conf with "dos charset" option. If you want to check what is the default charset on your Samba installation run "testparm -v|grep 'dos charset'" and hit enter.

0x03. [LPIC-302] Samba Basic Config - file and printer shares

2008-05-27T22:56:00.020+01:00

Configuring File Sharing Services

Public Share

We start with configuring a basic public share that is world-readable. There are actually two ways of doing it, but we will focus on one only (user security mode) since the other (share security mode) is deprecated and likely to disappear from future releases of Samba. If your distribution does not create a role account for Samba, it might be a good idea to create one instead of mapping guest users to "guest" or "nobody" accounts. The account has to be added with smbpasswd, or otherwise you will be having hard times understanding unexpected behaviour of some config options. So...

# useradd smbguest
# smbpasswd -n smbguest

Before we put our fingers on smb.conf let's create the public share on the local filesystem.

# mkdir -p /var/smb/ebooks
# chmod 1755 /var/smb/ebooks

Use your favourite editor to create an smb.conf file like that:

---- smb.conf ----
[global]
security = user
 workgroup = tux
netbios name = elibrary
guest account = smbguest

[ebooks]
 path = /var/smb/ebooks/
guest = ok
---- smb.conf ----

Upload your favorite man pages to the public directory and restart smbd.

Writable Public Share

Let's take our share to the next level (LOL) and make it possible for everyone to upload their ebooks. Simply append "read only = no" or "writable = yes" to the [ebooks] section.

Invisible Writable Public Share

At this stage if a client tries to access \\elibrary\ it will see all the shares available, which at this stage should be [ebooks] and the default printer share. [ebooks] includes some books that contain information not for everyone to see. If you want to make [ebooks] disappear from clients listing then append "browsable = no" to the share section. This way the share will be invisible for listing, but still accessible when specified explicitly (\\elibrary\ebooks)

Authenticating Users

Because the current configuration is a mock in terms of security and functionality we should make a small improvement to it and give write access only to authenticated users whereas guests are still able to read files, however, no way of writing anything.

We need to create Samba users on the server first, and this is done with "smbpasswd -a".

# smbpasswd -a oozie
New SMB password:
Retype new SMB password:
#

An important note: the user has to be available via getent call, so most typically it should be available in /etc/passwd file. If it isn't you will most likely see this error message: "Failed to modify password entry for user [username]". On the other hand ff you add an existing POSIX user with smbpasswd, remove it from /etc/passwd and try to smbpasswd -x (remove user) you will see this: "smbpasswd database is corrupt! username [user] with uid [uid] is not in unix passwd database!"

Again, a slight reconfiguration of smb.conf is necessary. Append "read list = smbguest" to the end of [ebooks] section and restart the daemons. This way oozie will be able to read/write, whereas all the guests will read the e-books only.

Exceptions
Samba allows exceptions from many rules, practically even from exceptions themselves. If we want to narrow down or widen the list of users that should have access to our folders we can use "invalid users" or "valid users" directives to smb.conf. They will sit on top of other ACLs that we specified earlier and will allow/disallow exceptional access respectively.

Mounting Samba Shares
You can mount Samba shares with help of mount -t smbfs (deprecated in favor of mount -t cifs) and smbmount, that invokes mount.smbfs to mount a share (which makes it a deprecated option). So a situation like this will be very common nowadays:


# mount.smbfs //192.168.1.36/ebooks /mnt
Password:
ERROR: smbfs filesystem not supported by the kernel
Please refer to the smbmnt(8) manual page
smbmnt failed: 255

In this situation "modprobe smbfs" should help, but make sure that this module comes compiled with your kernel. A preferred alternative to smbmount/mount.smbfs is mount.cifs (that requires cifs.ko module)

# mount.cifs -o user=oozie,pass=passwd //192.168.1.36/ebooks /mnt
Password:
# ls /mnt
ebook1.pdf ebook2.pdf ebook3.pdf

[homes] share

This share is a special option that tells samba to create a temporary share named after the username of the connecting user. The share gets all the attibutes specified in the [homes] section.

Plan file service migration
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html#id2676131

Create scripts for user and group handling of file shares
smbcquotas - Set or get QUOTAs of NTFS 5 shares
smbsh - Allows access to remote SMB shares using UNIX commands

Configuring Print Services

Samba supports a number of protocols for print sharing. The list includes {the print subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, PLP}, but CUPS is here of particular interest, since Samba supports it natively. It makes direct library calls, so smb.conf requires only minimal configuration in the [printers] section for the printers to work:

[...]

[printers]
path = /var/spool/samba
printable = yes

[...]

The 'path =' parameter must be different from the subsystem spooling directory, in this case different from /var/spool/cups.

The [print$] share

print$ hosts all the drivers required by Samba printers. It should not be used under a different name, because Windows clients are hardcoded this way. When they connect to the share, they try to look up drivers based on their own architecture, which is one of the following {W32ALPHA,W32MIPS,W32PPC,W32x86,WIN40}. The most frequently looked-through directory nowadays is W32X86 because it is used by Windows NT, 200x and XP.

Commands:

smbprngenpdf - a shellscript that converts printer spool files to PostScript format, and translates it to PDF later, unless -k option is specified. By default, files printed in this way are stored in the ~/PDF directory of the requesting user.
smbspool - sends a print file to a Samba printer (man 8 smbspool for more info)

Sources:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html

0x02. [LPIC-302] Samba - introduction to basic configuration

2008-05-27T20:58:00.007+01:00

Configuring Samba...

While configuring Samba we should start with learning about it's main config file structure, namely the structure of smb.conf. Many tutorials write entire chapters about it, but I think that an extract in form of bullet points is enough.

smb.conf

smb.conf has a general format of a Microsoft Windows INI file.
It is divided into sections denoted by a section name enclosed in square brackets, e.g.
[share name]
Sections are file or printer shares that are available on the server.
The only section that is not a share is the [global] section.
Options specified in the [global] section determine the behavior of the server itself and not it's shares.
Every configuration directive in it is of the following format:
configuration directive = value
All lines in the config file starting with ; (semicolon) or # (hash) are understood to be comments.
smb.conf DOES NOT support a mix of config parameters and comments on the same line
You can extend a long non-comment line in smb.conf file by adding \ (backslash) at it's end and continuing in the following line.
If you want to check for the correct smb.conf syntax, use the testparm(1) utility.

Samba variables and configuration parameters.

Samba has over 350 configuration options to apply in the smb.conf file, so you must admit that it is quite customizable just by this fact itself. I'm obviously not going to list them all here. Instead I'm pointing you to a very good reference, namely smb.conf(5) manual page. It describes all of the options we need + many more. So...

$ man 5 smb.conf

The variables as well as the values are not case nor whitespace sensitive.

SMB/CIFS TCP/IP Ports information
SMB/CIFS protocol requires to keep TCP/UDP open on the following ports:

137/udp for nmbd (NetBIOS network browsing)
138/udp for nmbd (NetBIOS name service)
139/tcp for smbd (file and printer sharing)
445/tcp for smbd (to run SMB/CIFS directly via TCP/IP)
901 for SWAT, not essential

Samba logging
Samba logs normally live in /var/log/samba, but this path can be changed during compilation time with --with-logfilebase=/path parameter. If you are not sure about the path on your system, use the magic "smb -b" and grep it for LOGFILEBASE. All of the logging configuration options are optional and all of them come up in the [global] section. Please find the most interesting ones for us below:

log level or debug level - defines a loglevel that should be used. By default it is 0, which means it only logs critical events.
max log size - defines the maximum log file size.
syslog only - it tells smbd not to use the logfiles, but the syslog facility instead.

0x01. [LPIC-302] Samba configuration and compilation from source

2008-05-25T13:04:00.014+01:00

Installation

As we know from the previous exams, LPI tries to be vendor independent that's we had to learn about both RPM and DEB packages. The knowledge about Gentoo e-builds is not required, but it's worth a recommendation, as it illustrates very clearly the need for dependencies and configure-time options.

While installing a package from DEB or RPM, the package management system creates directories, copies the pre-compiled binaries where appropriate as well as the necessary config files. The obvious advantage here is the speed of installation. The disadvantage: if you want to customize your installation, you need to uninstall the DEB/RPM packet, look for the source, download it, resolve dependencies by hand and compile it. This takes much more time, but lets you have a secure and customized installation of Samba. You are required to know both how to install Samba from source and packages.

Install Samba from packages

Packaged binaries for a number of different Linux distributions can be found on the following URL:

http://us1.samba.org/samba/ftp/Binary_Packages

If there is no package for your distribution, double check if your distribution maintainers didn't packaged it for you. LPIC foresees installing things with help of rpm and dpkg.

Install Samba from source
You can always get the latest source from http://samba.org/samba/ftp/samba-latest.tar.gz. Download the package and its signature and check it with gpg:

$ wget http://samba.org/samba/ftp/samba-pubkey.asc
$ wget http://samba.org/samba/ftp/samba-latest.tar.asc
$ wget http://samba.org/samba/ftp/samba-latest.tar.gz $ gpg --import samba-pubkey.asc
$ gpg --import samba-pubkey.asc
$ gunzip samba-latest.tar.gz
$ gpg --verify samba-latest.tar.asc
[...]

Once you make sure that the packages have not been tempered with, you can proceed with pre-compile configuration.


$ tar xf samba-latest.tar
$ cd samba-*/source
$ ./configure --help
[... read ...]
$ ./configure [--lists --of --args]*
$ make && make install installbin installman
[...]

Makefile for samba is inteligent enough to look for existing installation of Samba first. If it finds the binaries, it changes their name to .old. This way, if something goes wrong you can easily revert all changes with "make revert". A very nice feature.

Notable options to ./configure script include:
To find out about all options that are available at compilation time refer to the "./configure --help" command. Below I list the options that are not enabled by default and may be of interest for you:


#./configure --help|grep default=no
--enable-static=PKGS    build static libraries default=no
--enable-debug          Turn on compiler debugging information (default=no)
--enable-socket-wrapper         Turn on socket wrapper library (default=no)
--enable-developer      Turn on developer warnings and debugging (default=no)
--enable-krb5developer  Turn on developer warnings and debugging,
    except -Wstrict-prototypes (default=no)
--enable-dmalloc        Enable heap debugging default=no
--with-fhs              Use FHS-compliant paths (default=no)
--with-profiling-data   Include gathering source code profile information (default=no)
--with-afs              Include AFS clear-text auth support (default=no)
--with-fake-kaserver    Include AFS fake-kaserver support (default=no)
--with-vfs-afsacl       Include AFS to NT ACL mapping module (default=no)
--with-dce-dfs          Include DCE/DFS clear-text auth support (default=no)
--with-automount        Include automount support (default=no)
--with-smbmount         Include smbmount (Linux only) support (default=no)
--with-pam              Include PAM support (default=no)
--with-pam_smbpass      Build PAM module for authenticating against
    passdb backends (default=no)
--with-nisplus-home     Include NISPLUS_HOME support (default=no)
--with-syslog           Include experimental SYSLOG support (default=no)
--with-quotas           Include disk-quota support (default=no)
--with-cluster-support  Enable cluster extensions (default=no)
--with-acl-support      Include ACL support (default=no)
--with-aio-support      Include asynchronous io support (default=no)
#                            

Identify and resolve dependencies
Dependencies on samba are mostly optional.
It requires the following packages for additional functionality:

MIT or Heimdal Kerberos for AD support
OpenLDAP for LDAP integration
CUPS
Linux-PAM

Upgrade Samba
dpkg

$ wget http://samba.org/samba/ftp/samba-pubkey.asc
# apt-key add samba-pubkey.asc
# dpkg --install samba-NewerVersion.deb

rpm

$ wget http://samba.org/samba/ftp/samba-pubkey.asc
# rpm --import samba-pubkey.asc
# rpm -Uhv samba-NewerVersion.rpm

Source:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html

0x00. [LPIC-302] Samba/CIFS - Terms glossary

2008-05-23T21:50:00.023+01:00

If you want to dive deep into Samba world it would be good to understand the wording used in the following sections. If you spot any inconsistencies and/or have any suggestions, please let me know. This is one of those posts that are in constant development.

What is the difference between SMB and SAMBA ?

Many people confuse these terms and think they can use it interchangeably. It's not the case.

SMB - stands for Server Message Block, was originally invented by Barry Feigenbaum at IBM and it represents more the protocol rather than the actual implementation.

SAMBA - is the open source implementation of the SMB protocol, originally coded by Andrew Tridgell in 1991. Nowadays Samba distribution (version 3 standard) contains three daemons:

smbd - this is the most famous daemon from the Samba suite. Its task list comprises:

authentication
authorization
file+printer sharing

nmbd - NetBIOS Message Block Daemon, handles NetBIOS naming as per its name. It should be started as the first of all three samba daemons.

winbindd - this daemon talks to Windows domain controllers.

smbcontrol - knowing that we have three daemons at our disposal, it is good to be aware of a little program of smbcontrol, that can talk to the daemons on their run-time. smbcontrol is capable of sending commands to the daemons, e.g. reinforcement of a browser master election.

CIFS - Common Internet File System. This term was introduced first time by Microsoft in 1996. It is more extensive than the original SMB, but both names are used interchangeably.

NetBIOS - Network Basic I/O System. A network protocol originally designed by Sytec Inc. in 1983. It describes three kinds of service: name service (registration on the network and address resolution), session service (connection oriented, TCP based) and datagram distribution service (connectionless, UDP based).

smb.conf - Samba system-wide configuration file. It has an easily readable structure of a standard Windows INI file. The file tells samba which security mode should be used.

Samba Security Modes

User Level Security - The client first negotiates the protocol, then it sends a Session Setup request along with users credentials. If the server accepts the client, the latter expects to be able to connect to any share on the server with the original username and password combination and does not expect to be prompted for it again.

A rejection of the clients request can be based on a wrong pair of username/password supplied or bad hostname.

This level of security is set by the following directive in smb.conf:

security = userTypically, this is the default Security Mode setting
Share Level Security - the client authenticates with each share separately. It sends the password along with each "tree connect" request, however, the username is never sent over, so Samba has to figure it out on its own. This way, a password is associated with a share rather than with a username. Sounds dodgy? It is, and will likely be removed from Samba in it's future releases. Share security mode is deprecated and the user is requested to avoid its usage as much as possible.

security = share
Domain Security Mode - in this security mode Samba has to have a machine account on the domain controller, and passes all the authentication requests through it.

security = domainworkgroup = your-domain

This security mode does not make Samba a domain controller. It means that Samba should be a member of a domain.
ADS Security Mode - this security mode uses "NT4 style RPC based security". In can go in sync with Active Directory.

realm = YOUR.KERBEROS.REALM
security = ADS
password server = your.kerberos.server

secrets.tdb - It contains passwords for workstations, LDAP admin DN (Distinguished Name), and information about trust account.

secrets.tdb is just an example of a TDB file. TDB stands for "Trivial Database". It is one of the persistent TDB files, that do not change frequently. Persistent TDB files should be backed up regularily and moved over during upgrades and migrations. They live typically in /etc/samba/private directory, as opposed to non-persistent ("mundane") files, that typically live in /var/lib/samba. Note, that the default locations of both file types can be changed during compilation. In order to find out where the location is for compiled binaries, do the following:

# smbd -b | grep PRIVATE_DIR
- for persistent files

# smbd -b | grep LOCKDIR
- for non-persistent files

There is a number of commands that we should pay attention to in relation to TDB files:

pdbedit - manages the database of Samba Users
tdbbackup - you can backup and check the integrity of TDB files with this one
tdbdump - you can use this program for printing the contents of a TDB file
tdbtool - this is an interactive tool for modifying the contents of a TDB file.
smbpasswd - changes user's SMB password

SID - Security Identifier, is a string of the following format: S-a-b-c-d-[e-,f-,g-,...] , where:

S-a - denotes SID revision, e.g. S-1
b - number of authorities and subauthorities
c - top level authority
d and following are numbers of subauthorities, their total number is equal to b

SIDs uniquely identify a CIFS object, be it a domain, user, group or other things.

Foreign SID - an SID not belonging to the current domain.

Sources:
man {pdbedit, tdbbackup, tdbdump, tdbtool, smbpasswd}
http://www.samba.org/cifs/
http://de.wikipedia.org/wiki/Server_Message_Block
http://en.wikipedia.org/wiki/NetBIOS
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html
http://wiki.samba.org/index.php/Frequently_Asked_Questions

bash kick - A quick way to get rid of unwanted users from the system.

2008-05-02T23:40:00.005+01:00

If you play cyber wargames you may feel a necessity to quickly and efficiently kill other users sessions. This has to be done within seconds and the hit must be precise. "kill -9 $(ps -o pid= -u user)" would be enough to get the user away but it is a bit longish (= not suitable for a stressful time-critical situation). Ideally, you should use a short and simple word, like kick, and have an ability to eliminate your enemy from the system by their username or their TTY. This can be achieved by a simple extension to root's local .bashrc file.

kick.tar.bz2

Installation (as root):
cd
wget http://oozie.fm.interia.pl/src/kick.tar.bz2
tar xjvf kick.tar.bz2
append ". ~/.kick/bashrc.include" to root's .bashrc
type "bash" to restart the shell

kick - if you want to kill all processes of the user , e.g. kick dummy

kick tty - if you want to kill only one particular teletype session, e.g. kick tty pts/0

Encrypted root & swap partitions on Gentoo with cryptsetup (LUKS) in less than an hour!

2008-04-20T03:18:00.012+01:00

UPDATE: This post is out of date. Check the new script for automated Gentoo Installation.

I was sick for two days last week and not having gone to work I finally found some time to play with encrypting Linux partitions using cryptsetup-luks. There is a very good HOWTO on Gentoo-Wiki describing the entire process step by step. Manual installation takes a bit too long and since I need encrypted hard drive on every computer, especially a laptop I wrote a set of scripts and got Gentoo to install on an encrypted root+swap in 10 quick steps. All you need is a Gentoo Minimal Installation CD version 2006.1 or 2007.0 and Internet access. Let's start!

gentoo-crypto.tbz2
Installation from a Gentoo Mini Install:

Current version fully supports only the x86 architecture. If you have an 64bit system, make sure you download the right stage3 in the step 0x06!

The installation process:
0. Boot off a Gentoo Mini Install CD
1. Partition your hard drive, so that you have at least 3 partitions: boot, swap and root.
2. wget http://oozie.fm.interia.pl/src/gentoo-crypto.tar.bz2
3. tar xjf gentoo-crypto.tar.bz2
4. cd gentoo-crypto
5. cat README
6. run ./00config.sh and answer the questions
7. run ./0?*.sh files one by one and look for errors.
8. You should finish with setting up root password.
9. You write a basic /boot/grub/menu.lst and install grub onto your hard drive from a chrooted environment on /mnt/gentoo

That's it :)

0. Create a basic config file with 00config.sh :)
Partitions on your disk should be laid out prior to this step!

01modules.sh - this script loads appropriate cryptographic modules that are necessary for cryptsetup to proceed.
02crypt_dwnld.sh - downloads the statically liked binary of cryptsetup
03cryptswap.sh - sets up and encrypts the swap space
04cryptroot.sh - does the same as the one above, but with the root partition
05filesystem.sh - creates the root filesystem and mounts it
06baseinstall.sh - downloads stage3 and portage, extracts them, makes you select a mirror and downloads the kernel source
07etcfiles.sh - the script edits /etc/fstab and points both root and swap to /dev/mapper/root and /dev/mapper/swap
08kernelchk.sh - this script checks your kernel config for all required options. This may not be reliable, as the option names may change from one kernel version to another. I attach a simple config for 2.6.24 kernel.
09initramfs.sh - creation of initramfs takes
0Abasicsetup.sh - merges a couple of ebuilds, the ones that are crucial for the system to work and those specified in config.crypto EBUILDS variable. Most importantly, it reemerges udev to the newer version, thus letting you emerge device-mapper which is necessary for the /dev/mapper/root device to be recognized in the system*.

Enjoy.

http://luks.endorphin.org/dm-crypt
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS

* If you neglect re-emerging udev and device-mapper ebuilds you are very likely to see a message like this:
* Checking root filesystem ...
fsck.ext3: No such file or directory while trying to open /dev/mapper/root
/dev/mapper/root:
The superblock could not be read or does not describe a correct ext2
filesystem. If the device is valid and it really contains an ext2
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
e2fsck -b 8193

* Filesystem couldn't be fixed :(
Give root password for maintenance
(or type Control-D to continue):
The super block can not be read, because /dev/mapper/ directory is empty, non-existent or contains only the special character device control. You can otherwise fix this message by changing two last fields in /etc/fstab from "0 1" to "0 0", but it's not a real solution - you just prevent the partition from being checked.

0x0F. [LPIC-301] Capacity Planning - Predict Future Resource Needs

2008-01-01T20:11:00.002Z

* Predict capacity break point of a configuration
* Observe growth rate of capacity usage
* Graph the trend of capacity usage
* diagnose
* predict growth
* average
* resource exhaustion

0x0E. [LPIC-301] Capacity Planning - Analyze Demand

2008-01-01T20:09:00.001Z

Demand analysis is based on the Queuing Theory.
Perl::PDQ makes use of it.

0x0D. [LPIC-301] Capacity Planning - Troubleshoot Resource Problems

2008-01-01T20:08:00.000Z

Let's kick off with a glossary:

a block device = in Linux system it is a special file corresponding to data storage devices. The system talks to block devices using "blocks".
block = a bulk of bytes, typically having a multiplication of 1024 as it's size. Files on a filesystem are segmented in blocks. File block size = file bytes size / block size, brought to the next integral value down and incremented by 1. Data being read from a filesystem is not read byte-by-byte, it's read in the whole block instead. It's much faster.
"blocks in" / bi = blocks received from a block device. vmstat
"blocks out" / bo = blocks sent to a block device. vmstat
process blocked by I/O = this happens when the read or write speed for a single process is not sufficient.

It happens on occasions that some processes get blocked (or rather postponed to avoid confusion with the glossary explanations above) due to block devices I/O. (here block devices in the meaning from the glossary). You can verify this information using vmstat, more precisely the info will be displayed in the procs subsection. You may want to perform a test and issue the followoing command:

dd if=/dev/zero of=/dev/null &

This will produce a big number \0's being transferred between two virtual devices continuously. Compare the output from vmstat from before and after the command execution.

Reference to a good resource:
http://tldp.org/LDP/intro-linux/html/sect_04_03.html
todo:

Match / correlate system symptoms with likely problems
Identify bottlenecks in a system

swap

0x0C. [LPIC-301] Capacity Planning - Measure Resource Usage

2008-01-01T20:07:00.000Z

In this section we focus on measurement tools, in particular on the sysstat suite by Sebastien Godard.

I presume you are familiar with the /proc/cpuinfo file already. This information is static. How to obtain a dynamic info about CPU I/O?

iostatAccording to it's man page, iostat reports CPU statistics and I/O statistics for devices and partitions. In it's basic for iostat output looks like this:

100% of the CPU load is split into 6 categories as presented on the picture. Below a block device, sda, and statistics for it: transfers per second, block reads per second, block writes per second, total block reads, total block writes. Go to iostat man page for more information.

mpstat
mpstat reports all CPU related statistics. Its output is similar to iostat's with the main difference being much preciser CPU stats (mstat is able to show info for every processor alone) and no information about other devices at all.
vmstat

vmstat reports information about processes, memory, paging, block I/O, traps, and CPU activity. Basic vmstat output looks as follows:

You can specify a number of seconds (X) as a command line argument. If you do so, vmstat will show you average load since the last reboot as the first line (like above) and consecutive lines will be generated every X seconds and will report average stats for the last X-seconds period. You can find a some more comprehensive information on what can be read from the reports in the vmstat man page, "field description for vm mode" section.

sar
This utility is more sophisticated than the previous programs from sysstat suite. sar is a command-line front-end to sadc program, which collects data at specific intervals (you can add data collection to crontab). In order to collect data, you can use two shellscripts sa1 and sa2, wrappers around sadc. Configuration of the tool is described at http://pagesperso-orange.fr/sebastien.godard/tutorial.html. The following picture shows the how my two processors performed during one second:

Other, helpful tools include { pstree, w, lsof, top, uptime }. Refer to their man pages for more info.

How to ... ?
- Measure CPU usage

you can fire up 'uptime'. It gives you a one line of information: current time, time since the last reboot, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes. If the load over the for the three values is consecutively decreasing, it means we may be in trouble. If the values increase from left to right it means that things are getting less and less CPU load. Usually good news.
iostat discloses instantaneous information about the average CPU load on all processors and some block I/O info, which can be connected to each other.
In order to get some more detailed info about the CPU, run mpstat, if you prefer with the "-P <processor_nr>" option in order to see info specific for one of the processors. (cat /proc/cpuinfo to see the amount of processors)

- Measure memory usage

vmstat would be the right pick for that purpose. According to the man page, it shows memory information in the following sections you:
swpd: the amount of virtual memory used.
free: the amount of idle memory.
buff: the amount of memory used as buffers.
cache: the amount of memory used as cache.
inact: the amount of inactive memory. (-a option)
active: the amount of active memory. (-a option)

- Measure disk I/O

vm in vmstat stands virtual memory and for this one it's intended. You can, however measure disk"vmstat -d" or "vmstat -p <partition_name>"

- Measure network I/O

"sar 1 -n DEV" does the trick. It will show you stats for network interfaces in received/transferred packets/compressed packets/bytes per second, as well as multicast packets per sec.

- Measure firewalling and routing throughput

sar?

- Map client bandwidth usage

sar?

Some good reference:
http://tldp.org/LDP/sag/html/system-resources.html

0x0B. [LPIC-301] LDAP - Development

2008-01-01T19:59:00.000Z

As LDAP is constantly gaining on popularity so are numerous applications based on it. If you happen to work with LDAP on the regular basis and use it for something more than keeping whitepages with contacts for your Thunderbird, you will need to write some scripts eventually. LPIC requires Perl knowledge in this respect. If I was to recommend a compact guide to it, I would point you in the direction of "LDAP System Administration" by Gerald Carter (It seems like the whole exam is based on it anyway). It describes the basics about Net::LDAP module, but requires from you some background in Perl.

Getting Libraries...
Libraries are available on CPAN, you can get all the required libraries downloading Bundle::Net::LDAP.

root@hackpospolita:/home/oozie# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.7601)
ReadLine support available (try 'install Bundle::CPAN')

cpan> install Bundle::Net::LDAP
CPAN: Storable loaded ok
[...]
... and answer a lot of questions :)

Scripting
I think the best method to learn scripting is to try doing it yourself. Reference documentation can be also found on the PERL.ORG. Find some example scripts with their brief descriptions below:

Anonymous unencrypted bind - searching for UID

[ yet to come ]
[...]

{Python, C/C++, PHP}

0x0A. [LPIC-301] LDAP - Integration

2008-01-01T19:58:00.001Z

NSS and PAM integration
This is a very important one, has been described before in "Make use of LDAP"

Outlook
I could be entering my own settings into Outlook, then taking screenshots, then publishing them here, but what for? Someone has already done it better in this location.

Single Sign-On

I think that the best place to go for a more comprehensive explanation on SSO would be OpenGroup's SSO website. In short, SSO allows a user to authenticate once and be authorized to use her services for a specific period of time without a need to re-login. This, in conjunction with LDAP, gives flexibility and functionality and reduces human mistakes, e.g. while entering passwords. In order to achive SSO model, we need to deploy Kerberos.

To come: { www, nis, ftp, http, ssh, samba, freeradius, kerberos, AD }
[This article is obsolete and incomplete]
[...]

0x09. [LPIC-301] LDAP - Directory performance tuning

2008-01-01T19:55:00.000Z

Before we start
Prior to configuring slapd take few factors into consideration.

Main memory. It's always a good idea to extend it according to the needs so later you can scale the cache with the cachesize directive.
Hard drive. It's a good idea to allocate each database on a separate disk. Of course the faster hard drive you use, the better performance you get.
Filesystem tuning. noatime is one of the options you may want to use in /etc/fstab

Indexing

Start your performance tuning with the index directive in slapd.conf. Generally, indexing entries is supposed to speed up the performance, however, if you index entries you never or vary infrequently search for it will only slow down your directory.

If a search for some specific filter is performed particularly often, slapd can create an index based on the information available in the database. From now on if a user searches the directory the entries are returned based on the index and slapd won't waste its own and users time.
The general syntax for doing indexing with slapd is to add a line (or multiple lines) with the index directive to slapd.conf. The said line is of the following format:

index attr1[,attr2[,...]] index_type1[,index_type2[,...]]

where attrX is an arbitrary attribute, like objectClass, uid, cn, sn etc and index_typeX is one of the four following options:

eq - tells slapd to index all searches with an exact match for a particular attribute
sub - creates an index with substrings for the given attribute
approx - indexes entries with approximate or phonetic value
pres - checks for presence. Apparently this type is not very commonly used, as normally the application expects itself, if an attribute is present or not.

slapindex must be run every time you update index section in slapd.conf, otherwise the indexes won't be recreated.

Go to http://www.openldap.org/faq/data/cache/42.html for some more explanation.

DB_CONFIG
Internal database tuning can be achived by modifying DB_CONFIG file, located in the root directory of the database. For detailed information on the file itself please refer to http://www.sleepycat.com/docs/ref/env/db_config.html

db4.3_archive, db4.3_deadlock, db4.3_load, db4.3_recover, db4.3_upgrade, db4.3_checkpoint, db4.3_dump, db4.3_printlog, db4.3_stat, db4.3_verify are programs that come with Berkley DB 4.3. and can be used to verify / tune performance on the database itself.

other
Opulent logging can decrease performance. A simple solution for that is to reduce the logging level to minimum:
#
# - slapd.conf excerpt -
#

loglevel 0
#

0x08. [LPIC-301] LDAP - OpenLDAP customizing - schema files

2008-01-01T19:20:00.000Z

(This article is based on Section 9 of LDAP Admin Guide 2.3 http://www.openldap.org/doc/admin23/)

in default OpenLDAP installation schema files reside in /usr/local/etc/openldap/schema. If you install OpenLDAP as a package from your distribution you will find the files in /etc/openldap/schema
Schema files have to be included from under slapd.conf with the 'include' directive. slapd.conf normally starts with schema inclusion

6 schema files are distributed along with OpenLDAP, these are: (table ripped off directly from here)

Table 8.1: Provided Schema Specifications
File	Description
`core.schema`	OpenLDAP core (required)
`cosine.schema`	Cosine and Internet X.500 (useful)
`inetorgperson.schema`	InetOrgPerson (useful)
`misc.schema`	Assorted (experimental)
`nis.schema`	Network Information Services (FYI)
`openldap.schema`	OpenLDAP Project (experimenta

inetorgperson.schema is dependent on cosine.schema
Schema files distributed with the directory should never be modified. You should create new schema if you want to extend objectClasses and attributes.
OpenLDAP Admin Guide version 2.3 defines five steps while creating new schemas:
a) obtain object identifier (OID)
You can obtain an OID for your enterprise with IANA (http://www.iana.org/). An OID is a number in dot-decimal notation, uniquely identifying your organization. It has a similar format: 1.3.6.1.4.1.X, where X is an integer number representing you.
b) choose a name prefix
You should come up with a name prefix added to every attribute and object class in your schema. This way you avoid confusion with other non-standard schemas. An encouraged format for the prefix is topleveldomainCompanyname, e.g. deFirma, ieCompany, plFirma, tuxPorta
c) create local schema file
A customary name for your local schema file would be local.schema, but it fact it can be called whatever you want. Your local file should be included at the end of all other schema inclusions in slapd.conf
d) define custom attribute types (if necesarry)
Creating attributes is best described and illustrated with examples in RFC 2252. An attribute defined in a schema file should contain at minimum name(s), description and attribute syntax expressed as an OID. The list of attribute syntaxes and associated OID can be found in OpenLDAP Admin Guide 2.3, table 8.3 - Commonly used Syntaxes
e) define custom object classes
Object classes are defined in the schema file at the end following the definition of the attributes. Simplified object class definition has the following format:
```
    ObjectClass ( OID-in-numeric-format
            NAME "object-class-name-in-qdescrs-format"
            DESC "object-class-description-in-qdstring"
            OBSOLETE  ; only to denote obsolete class
            SUP  ( superior $ objectclasses $ separeted $ byDollar )
            ABSTRACT / STRUCTURAL / AUXILIARY ; STRUCTURAL by default
            MUST ( OIDs $ of $ mandatory $ attrs $ separated $ byDollar )
            MAY  ( OIDs $ of $ optional $ attrs $ separated $ byDollar )
  )
```

0x07. [LPIC-301] LDAP - Directory replication

2007-12-23T22:54:00.000Z

Our directory is being used all the time for some specific purpose, namely authentication. For that reason security had to be taken into account, nevertheless, it's stability now is of no less importance. Also, decreasing load on a (master) and moving it over to slaves increases performance of the whole directory instance. It is also important, that you come up with a good backup strategy. For all that OpenLDAP 2.3 and below provide slurpd daemon, which is responsible for directory replication. In OpenLDAP 2.4 slurpd was completely replaced with Syncrepl for a number of reasons.

slurpd logic
slapd and slurpd run on the same server, which from now on will be called master. Following this there are several slave servers running only slapd deamon. DNS for our ldap service should be configured with RoundRobin (in my case it's simply porta.tux, but ldap.porta.tux would be more appropriate), so when clients connect to the directory the load is distributed among the slave servers. They simply read the directory from a slave server. Now let's assume that a client wants to change password entry in the directory. This process is more complicated and, according to OpenLDAP admin guide, includes the following steps:

The LDAP client submits an LDAP modify operation to the slave slapd.
The slave slapd returns a referral to the LDAP client referring the client to the master slapd.
The LDAP client submits the LDAP modify operation to the master slapd.
The master slapd performs the modify operation, writes out the change to its replication log file and returns a success code to the client.
The slurpd process notices that a new entry has been appended to the replication log file, reads the replication log entry, and sends the change to the slave slapd via LDAP.
The slave slapd performs the modify operation and returns a success code to the slurpd process.

Say I have 3 slave slapd servers and one master. A client wants to perform a password change modification. The following happens: 1) client sends ldap modify request, 2) slave slapd server points the client to the master server, 3) client resends ldap modify request to the master server, 4) master server confirms success, 5) master server informs slurpd about the changes in the directory via changelog. 6) slurpd replicates the changes to all slave servers

A slave server which the ldap data is pushed to is called a replica server.

How to configure a replica?
Kick off with building a copy of your master ldap server on another computer. It is important to secure it as much as you do the master server, as slurpd on the master will update slaves with LDAP protocol, and you don't want sensitive data wandering over network unencrypted. Second step is migrating the data from the master server. Theoretically, you can copy the database files from the master to the slave, but make sure that the database software is compatible on both machines and that CPU architecture does not prevent compatibility. If you want to avoid these and possibly other factors there is a universal solution: slapcat. This will dump the database content in an LDIF format. Move this file over to the replica and slapadd it into the new directory. Once that is done we can get down to the configuration files... I presume that slapd.conf on both servers are fully functional.

Replica slapd.conf
We need to change the rootdn/rootpw for the replica server. Master's slurpd will use these credentials for modifying entries. If you decide not to use rootdn as the updating user it is good to doublecheck that this particular user has sufficient access.

# New rootdn/rootpw on the slave
# -- this is only an example, in real life rootpw should be hashed
rootdn "cn=replica,dc=porta,dc=tux"
rootpw "replicaPasswd"

# -- Now the most important part. updatedn (user responsible
# for updates on the slave) is associated with rootdn entry.
# slave's slapd will point users willing to write to updateref
updatedn "cn=replica,dc=porta,dc=tux"
updateref "ldaps://porta.tux"
#--

Master slapd.conf
Analogically, master should know the credentials for the slave and the hostname to refer to. The following directive accomplishes that:

# to add on the master slapd.conf
replogfile /var/lib/openldap-slurp/replica/slapd.replog
replica uri=ldaps://princess.tux
suffix="dc=porta,dc=tux"
binddn="cn=replica,dc=porta,dc=tux"
credentials=replicaPasswd
bindmethod=simple

replog
In the line above we defined the replog file. Slapd communicates with slurpd via replog. So what's it content?
#- replog
replica: porta.tux:636
time: 1198985069
dn: uid=spitfire,ou=People,dc=porta,dc=tux
changetype: modify
replace: userPassword
userPassword:: cXdTcffzZEZ6eG2N
-
replace: entryCSN
entryCSN: 20071230032429Z#000000#00#000000
-
replace: modifiersName
modifiersName: uid=spitfire,ou=People,dc=porta,dc=tux
-
replace: modifyTimestamp
modifyTimestamp: 20071230032429Z
-
#- end of replog

The snippet from the logfile shows that spitfire was changing password. Slurpd reads it and pushes the changes to further the slave servers. If it is unsucessful, it writes an error replog ( a .rej file) with exactly the same syntax as replog, but it adds ERROR at the beginning. (Example taken from OpenLDAP admin guide 2.3)

       ERROR: No such attribute
replica: slave.example.com:389
time: 809618633
dn: uid=bjensen,dc=example,dc=com
changetype: modify
replace: description
description: A dreamer...
-
replace: modifiersName
modifiersName: uid=bjensen,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20000805073308Z

slurpd in One-shot mode and reject files
If you want to correct an error from error log, you needn't do it by hand. You can run slurpd in one-shot mode: (-o for one-shot mode and -r for file name of the replog to be processed)

slurpd -r rejected.replog.file.name.rej -o

After successful processing of the file slurpd exits instead of going into daemon mode.

slurpd operates in push mode only (master pushes the changes to the slaves)

syncrepl logic

A preferred alternative to slurpd is syncrepl. It is a consumer-side replication engine. Syncrepl uses LDAP Content Synchronization Protocol for keeping date up-to-date and supports both push- and pull-based replication. It is synchronizing automatically with the provider database.

The LDAP Content Synchronization Protocol supports two types of operation: refreshOnly (polling) and refreshAndPersist (listening).

Consumer server is synchronized during the polling and disconnects when finished (refreshOnly).
When refresh|AndPersist policy is selected, the consumer server remains connected and updates all the newly changed entries on the fly.

refreshOnly and the "refresh" part of refreshAndPersist can be performed in one of two phases: present or delete.

In the present phase the server slapd sends some information to client slapd, that is...
a) all the entries with their attributes that have been changed since the last synchronization
b) changed attributes in these entries with new values
c) unchanged attributes without values but being marked as "present" on the server
d) entries that haven't been mentioned do not exist, thus are removed from the client slapd

In the delete phase the information sent by the server slapd is as follows:
a) all the entries with their attributes that have been changed since the last synchronization
b) changed attributes/entries with new values
c) unchanged attributes are not mentioned
d) removed entries without values but being marked as "deleted" on the server

The refreshOnly operation is finished with LDAP Sync sending a cookie to the LDAP Sync client. The client will present this cookie to the server before priot to the next synchronization in order to check if something has changed on the server since the last sync.

The difference between refreshOnly and refreshAndPersist is that in the latter the connection between sync servers is not terminated and the state cookie can be updated anytime the servers request it.

You can find out more refering to http://www.openldap.org/doc/admin23/syncrepl.html.

configuring syncrepl
You can start with undoing changes we did during slurpd configuration :)
As mentioned above, syncrepl is a LDAP Sync Client (consumer) based type of replication, that's why there is not to much to do on the LDAP Sync Server's (Provider's) side.

   # --
   overlay syncprov
   syncprov-checkpoint 100 10
   syncprov-sessionlog 100
   # --

the first directive defines the syncprov overlay.
Second line is the providers checkpoint limit. In the example above a checkpoint will be performed every 100 LDAP operations or every 10 minutes, whatever comes first.

On the client LDAP Sync side things are getting more interesting:
# -- snippet from slapd.conf on princess-pc
syncrepl rid=1
provider=ldaps://porta.tux
type=refreshOnly
interval=00:01:00:00
searchbase="dc=porta,dc=tux"
scope=sub
bindmethod=simple
binddn="cn=Manager,dc=porta,dc=tux"
credentials=secret
# --

So our princess-pc will connect to porta.tux every hour and will perform refreshOnce operation. It uses rootdn of the master provider server (what from the security point of view is not the smartest thing to do)

constrains:
ldbm backend does not support refreshAndPersist

0x06. [LPIC-301] LDAP - Tightening security

2007-12-07T10:02:00.000Z

In the previous post I confugured nss_ldap and pam_ldap, but the ACL applied to this configuration not only allows users to read other users passwords but also change them! We should change it ASAP.

ACL
The OpenLDAP ACL syntax is not too complicated and it lets us express all we need. The general syntax rule is:

access to (resource)

by (whom) (access level)

where:
resource can be represented as

*	any entry in the entire directory
regular expression	a regex denoting an entry or a group of entries. There are four methods of inheriting the expression: - dn.base=regex - dn.children=regex - dn.one=regex - dn.subtree=regex
filter=(LDAP-Filter)	A standard LDAP filter, e.g. ...
attrs=	A list of attribures with specific access control. A very common example would be userPassword which should not be read by anyone but the owner who also should have write permission in order to change it.

who can be represented as:

*	anonymous	users	self	dn	group=*
anyone	non authenticated users	authenticated users	user trying to get access to his DN entry	user defined by the specific DN	an ldap group in DN notation

and finally access level is one of the following:

none	-	no access is granted
auth	x	The right for authentication. Client sends credentials to the server, server compares and responds.
compare	c	If the client knows what's the value of the entry already, the value can be confirmed already. Works similar to auth access level.
search	s	ability to search the entry with filters
read	r	full read access
write	w	full write access

Note: There are more options for OpenLDAP ACL syntax. For complete reference go to OpenLDAP Admin Guide

Based on that we want to come up with a solution which would:
- not let anybody change other user password
- not let anybody read other user password
- still be able to read other users contact data
Here is the answer:
access to attrs=userPassword
by self write
by * auth
access to *
by * read

The sequence in which the ACLs are defined is of great importance. Basically, you always should specify the most specific entries first, followed by less specific ones, finishing with totally general definitions, like in the example above. That's the reason behind it: the first matching entry from the top gets applied.

TCP Wrappers

slapd is a tcpd aware server. You can configure /etc/hosts.deny and /etc/hosts.allow accordingly to increase security. It's not a good idea though to trust TCP wrappers completely. iptables should be the preffered method of securing the network environment. Anyway, this configuration should cut off connections from the outside networks:

# /etc/hosts.allow
slapd: 192.168.1.0/255.255.255.0 127.0.0.1 : ALLOW

# /etc/hosts.deny
slapd: ALL : DENY

SSF

Security Strength Factor is not the best documented feature. According to the OpenLDAP Admin Guide SSF indicates the relative strength of protection, whereby 0 = no protection at all, 1 = data integrity check, 56 = DES encryption, 112 = 3DES and everything over 128 denotes one of the strong, modern algorithms like AES, RC4 or Blowfish. Different SSF value depends on the key length.

SSF will be used during ACL planning and SASL authentication.

SASL

An alternative to simple binds is Simple Authentication and Security Layer. It is a framework of different standarized security mechanisms providing strong authentication and data integrity checks. I will discuss implementation of SASL DIGEST-MD5 and GSSAPI configuration.

Before you start troubleshooting your SASL configuration, it's worth checking if your slapd supports SASL at all. This command is very helpful in determining this:

$ ldapsearch -x -s "base" -b "" supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

OK, my server supports 6 types of SASL authentication. If your does not, the only solution now is to shut it down, (re)compile cyrus-sasl package with appropriate options (-> Kerberos!!!, otherwise no GSSAPI) and recompile the entire openldap again. If you don't do it you can see a message saying "ldap_sasl_interactive_bind_s: No such attribute" when running openldap tools on the client side. In this case the message means literally "your server does not have support for SASL".

DIGEST-MD5
The DIGEST-MD5 assumes that both the server and the client know the shared secret, that is a password. During the authentication process the following occurs:
1. Connection is initiated
2. Server sends a challenge to the client, it is based on a known password
3. Client responds to the server with a response to the challenge.
4. Server refers to the response in order to decide if the client knows the password.

Configuration
As always, some minor corrections of slapd.conf are necessary. I had to enrich my slapd.conf with the following snippet:
-------
sasl-realm PORTA.TUX
sasl-host porta.tux
authz-regexp
uid=([^,]*),cn=porta.tux,cn=digest-md5,cn=auth
uid=$1,ou=people,dc=porta,dc=tux
-------
The first two lines define the SASL realm and the hostname/IP address of the SASL host to refer. Following lines are a translation of "ldap dn username" to "sasl username" mapping.

According to the LDAP-HOWTO, the uid is taken from SASL and mapped to it's LDAP DN counterpart.
The first part of the configuration directove has the following format:
uid=username,cn=realm,cn=mechanism,cn=auth
where "mechanism" is the SASL mechanism applied - in my example - "digest-md5".

In DIGEST-MD5 passwords can be stored either in SASL database (accessible via saslpasswd2/sasldblistusers2 commands) or directly in the LDAP directory, in the latter case however the password hash must be set to {CLEARTEXT}

I chose to store my passwords in the directory itself. Now, let's see the outcome.

$ ldapwhoami -U spitfire -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: spitfire
SASL SSF: 128
SASL installing layers
dn:uid=spitfire,ou=people,dc=porta,dc=tux
Result: Success (0)
$

GSSAPI for Kerberos
SASL GSSAPI mechanism used in conjunction with Kerbeos V allows you to use SSO (Single Sign On). That is, you enter your password once only, when you request a kerberos ticket, and you can work on being fully authenticated. Next time you need to enter your password would be either when the ticket expires or if you destroy it. Practically, it creates less potential opportunities for the attackers to take over your password (e.g. by keylogging), but the users must be educated to lock their screens / logout when they leave the workplace for even short time.

Configuration
1. Let's start with changing the authz-regexp directive in slapd to the following format:
authz-regexp
uid=([^,]*),cn=porta.tux,cn=gssapi,cn=auth
uid=$1,ou=people,dc=porta,dc=tux
2. You need to create a kerberos principal ldap/your.realm. Use addprinc, ktadd, cpw within kadmin.local to create it and export the kerberos keytab. Create another principal for your user (spitfire).
3. Make sure your slapd can read keytab while running. Otherwise you won't be able to authenticate.
# chown root:ldap /etc/krb5.keytab
# chmod 660 /etc/krb5.keytab
# /etc/init.d/slapd restart
4. Let's try to authenticate with GSSAPI.
# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
# kinit spitfire/porta.tux
Password for spitfire/porta.tux@PORTA.TUX:
# ldapwhoami
SASL/GSSAPI authentication started
SASL username: spitfire/porta.tux@PORTA.TUX
SASL SSF: 56
SASL installing layers
dn:uid=spitfire/porta.tux,ou=people,dc=porta,dc=tux
Result: Success (0)
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: spitfire/porta.tux@PORTA.TUX

Valid starting Expires Service principal
12/23/07 03:53:38 12/24/07 03:53:38 krbtgt/PORTA.TUX@PORTA.TUX
12/23/07 03:53:50 12/24/07 03:53:38 ldap/porta.tux@PORTA.TUX

Works OK. Note: I didn't have to enter my password while performing ldapwhoami.

0x05. [LPIC-301] LDAP - make use of LDAP: nss_ldap and pam_ldap

2007-11-25T18:23:00.000Z

Note: if you configure this for the first time, make sure you pick a proper Linux distribution (clients). I have tested it on different Linuces and especially distros being "too user friendly" and those "security-enhanced" ones might have a little confusing pre-defined configuration and things won't go as described below, at least not quite.

As our directory is a little more secure than it used to be, we can start serving some sensitive data like personal information, preferences or, more importantly, login credentials. Creating an LDAP users database from scratch can be a tedious process, especially if you already have a ready /etc/passwd file or a NIS/NIS+ infrastructure. This is where PADL MigrationTools come in handy. The software can be downloaded from the PADL website. Once we have our databases migrated, we can start pulling information about our user from the OpenLDAP server and authenticate them with pam_ldap, both plug-ins are downloadable from PADL.com.

I will kick off with a few words of introduction to every package.
MigrationTools - a collection of perl and shell scripts which help you convert your existing NIS, NIS+, NetInfo or flat file databases like fstab, hosts, services etc into ldap-readable LDIF format. It is also possible to dump these databases directly to the ldap server either with ldapadd (with running slapd) or with slapadd (slapd is down, dump goes directly into the database file).

MigrationTools do not require too much customization. You should remember to change $DEFAULT_MAIL_DOMAIN, $DEFAULT_BASE and $DEFAULT_MAIL_HOST in migrate_common.ph according to your dc base, otherwise your LDIF entries will contain "dc=padl,dc=com" suffix.

Let's say, I want to migrate two entries from my /etc/passwd file:

porta MigrationTools-47 # grep -E "princess|spitfire" /etc/passwd > passwd
porta MigrationTools-47 # cat passwd
princessnatalka:x:1001:100:Princess Natalka,1,085313373,087654321,Sharp:/home/princessnatalka:/bin/bash
spitfire:x:1002:100:Spit Fire,2,(1231)1029384756,6574839201,If I was in WWII they'd call me spitfire:/home/spitfire:/bin/bash
porta MigrationTools-47 # ./migrate_passwd.pl ./passwd passwd.ldif
porta MigrationTools-47 # cat passwd.ldif
dn: uid=princessnatalka,ou=People,dc=padl,dc=com
uid: princessnatalka
cn: Princess Natalka
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$fMFhgCEB$v44E8xfZA2PSIGv5.QXmY.
shadowLastChange: 13849
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/princessnatalka
gecos: Princess Natalka,1,085313373,087654321,Sharp
[...]

nss_ldap - This is a plug-in for Name Service Switch on a Linux / Solaris system. If you think you need to catch up with NSS, I recommend the manual (5) page for nsswitch.conf file. Basically, we want the system calls, e.g. struct passwd *getpwent(), to grab the information about users from LDAP if the users are not found in /etc/passwd file. nss_ldap binds to the LDAP server, looks up the appropriate entry, translates the content into getpwent-readable format of username:password:uid:gid:gecos:home:shell and points the function to it.
This library very often comes pre-compiled with the distribution. In case it's not, you can download it from PADL website and compile it.
In order to enable nss_ldap you need to edit /etc/nsswitch.conf. An example file follows:
>8--->8--->8--->8--->8--->8--->8--->8---
# /etc/nsswitch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns
networks: files dns
[...]
8<---8<---8<---8<---8<---8<---8<---8<---
I have placed my "ldap" entries behind "files". As a result, if there are two accounts with the same posix name in /etc/passwd and LDAP database, NSS will read the local entry and ignore the one from LDAP. In other words, local entries have higher priority and the LDAP entries will be read in every time when there is no matching local account.

nss_ldap configuration file is ldap.conf. Refer to the manual page for details.

NOTE: If after changing your nsswitch.conf you are having hard times booting up you may want to set the bind_policy to soft in ldap.conf. It will soften the policy of reconnecting to an unavailable LDAP server. The default hard_open keeps reconnecting thus preventing the system to boot.

Now, let's see the outcome of our changes:
$ finger spitfire
Login: spitfire Name: Spit Fire
Directory: /home/spitfire Shell: /bin/bash
Office: 2, (1231)1029384756 Home Phone: 657-483-9201
Last login Sun Dec 2 18:11 (GMT) on pts/1 from 192.168.1.4
No Mail.
No Plan.

On many systems nss_ldap is enough to authenticate an LDAP user on the local system. If you want to have extended functionality for LDAP users, e.g. password changing, keep reading...
pam_ldap - finally authenticating users. Fortunately, configuring PAM is quite easy, especially, if you have common-[auth|password|account] files in your /etc/pam.d/ directory. These files will be included into all authentication services as their common part. Please find my sample common-* files from an OpenSUSE installation below:
common-auth:
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth required pam_unix2.so
common-account:
account sufficient pam_ldap.so
account required pam_unix2.so
common-password:
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_ldap.so try_first_pass
password required pam_unix2.so nullok use_authtok

Given an example of my sshd pam-aware daemon, if the configuration file looks like as follows...
/etc/pam.d/sshd:
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

... my sshd service will be fully LDAP enabled. The same about other services which include common-* files.

NOTE: It's a good idea to add use_first_pass or try_first_pass options to pam_ldap.so in the PAM configuration files, otherwise both modules will ask you for your password separately. In the worst case, if you try to change your password over LDAP with the passwd command, you will be prompted for your password as many as 4 times!!!

In order to be able to change passwords we should apply specific ACLs. This will be discussed in the next post, for now a very ugly ACL. Append these two lines to your slapd.conf
#---
access to *
by * write
#---
Let's perform a test...

$ ssh spitfire@princess
Password:
Have a lot of fun...
spitfire@princess:~> passwd
Changing password for spitfire.
Enter login(LDAP) password:
New Password:
Reenter New Password:
LDAP password information changed for spitfire

0x04. [LPIC-301] LDAP - Secure your directory

2007-11-16T22:04:00.000Z

We have a working directory service. Let's search it through running tcpdump on another terminal.

# tcpdump -i ath0 -Avvv tcp -s 1000
[...]
22:37:19.725215 IP (tos 0x0, ttl 64, id 34532, offset 0, flags [DF], proto: TCP (6), length: 451) porta.tux.ldap > princess-pc.tux.4714: P, cksum 0xe48c (correct), 107:506(399) ack 78 win 181
E.....@.@..............jW..Z~..?...........
..O...s.0......d....#cn=kitchen,ou=rooms,dc=porta,dc=tux0..[0...cn1 ..kitchen0...objectClass1...top..room0..*..description1.......
A kitchen, is a room or part of a room (sometimes called "kitchen area" or a "kitchenette") used or food preparation including cooking, and sometimes also for eating and entertaining guests, if the kitchen is large enough and designed to be used that way.
(SOURCE: WIKIPEDIA)
[...]

The information is not secured in any way. An unsecured directory is not suitable for serving sensitive data. I'm going to enable basic security by configuring TLS.

Enabling TLS
In order to enable TLS you need to have a working OpenSSL installation. We use a perl script called CA.pl (depending on the distribution/installation the script lives in /etc/ssl/misc or /usr/lib/ssl/ or possible other locations).

1. Generate a new certificate:

# cd /etc/ssl/misc
# ./CA.pl -newcert
Generating a 1024 bit RSA private key
..............++++++
.......++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IE
State or Province Name (full name) [Some-State]:Dublin
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OOZIE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:porta.tux
Email Address []:r00t@oozie.tux
Certificate is in newcert.pem, private key is in newkey.pem
#

2. Remove password from the newkey.pem file.
CA.pl created a password protected certificate. In other words, the certificate is encrypted with the password. If you don't remove the password from the cert you will need to enter it every time slapd starts up. We don't want that...

# cat newkey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,96736B31B990FBA6

+sLcj1Uu98B/+2MAn51FhnOURbhE1fJDu/X1XHBn8Sg4zX4g7GcUmHFfCsrdR1Jq
in/8l3T+cPrr448BWhvgf7tDksYlOZYLFnsleiFIrroAJ0vnSsiPxymJOa4zxqU7
sd6eh/pRjjlX1EY7G0i+Xt91cq/nnVzqIeap+Co6rLiSDHPDqXbTyrm+md5HUpe1
YDfgstSYdbTkDjxs3yx6oP54HYtDixiPm8JSjFjdo630vDg4m8xK3Ona1gsY+ZLh
dAlBeRQpONNF4d7cx7Qa3i3J+qI/URMakyrNNFVJJNQeDst/sxYe8M+axykgm4H1
J1Gy6vjKegp6eI2s+WbMwXp+E35NFQIxpuriJDK2QEU1ROyqlzZi1I5XmSye76kF
LszVxJbkHGqACD7Edvlo+ZIPY3w4lh/yhpK5iiXWmiuSYLG1UZkc9Tl3nA6PqiB2
z1xhfOxbiAKS4S/YIspaTFKbZovTwnl1DXXDA4/3ghM/m0j3sIoeMLwuqDhSSmY5
2UvCv3lsCw2Fz6wOO6lghVEi6ZqzhrCVi2WneXFNavLeWIv0qUSZDGHQvS1/kjC0
Mhw/9ybjgvYbZMd62uNiffIvIy2GHTx5jhIXZnUiYDZCjtOxzDAmMjcxxaVRN/Kf
jVTM9NP6ZG/CaUl2hYjuOkNDmBUZ8H3RafnwoHuFmWMmihKG5O+mFwukql7llqcT
kIthB5nbIsRxP6bgXbF0NvHkO9M+tSnamzaPuiwYs4bvfhYbX3GWSXyQ5323sjP7
Ke+2/N0Ol+dLPONgdHmePf+FfM9anT0VgAxdf4pVs8TCbmxVNF/wrA==
-----END RSA PRIVATE KEY-----
# openssl rsa -in newkey.pem -out newerkey.pem
Enter pass phrase for newkey.pem:
writing RSA key
# cat newerkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDBPNnk3UN4y1Gs+qgeRkPtb/GtdjG6CShW7L1Ch9DPjmm/d1ps
MiSAk9+tqGc5u7cccERN3UWiBaBNk6aBqdrFqr3MWaV4Fm3ilnlxDAGEJJ/tdjnx
Uxl37f/UffyOrBUUW1h6DkoEgIyWtGmCHeO0GhJEkCmvqqQ4TfcJHBSHaQIDAQAB
AoGACev68CJgRYKDBhO0sCFBeZ6G1TY9ZWT0+kmbih/5G78fNOKG9Qk6EJQHJx5/
dlpqE368MxdKbQBG89TB9uRmxCppWH7GoPuCzm7WV+/GtDAxisZMvSvW89ptHMOb
Ev7FPwFvlr6ENrN+Woiz51GHGZhUBH7R7XuVRJ3uPM99v5ECQQD/nxCI9zwDoGhC
exDSYTrvDIxC/WpLNxeGXrIdj9CHoku4M16hycKduZb5AOOwCUi8gG0uufFSIqW4
pYqzKCaVAkEAwYYhN4cSwLs5O6p619FvQXbaZzv1huyEqjMcsTsrtJiv77Wj5f/m
AciTA2upDA/kcqwtb7TzaKdKrNZYKeOMhQJBAPu+jMtHKbysmmF2z/9RMHhC1FQZ
PTisHigAVMxWWVlq1cWoGbeee2NYZr3+ST6SNicnF+Af0fFBHBK4PdvpW+0CQQCI
4OgJsF4RN9tpWlF86MN6WChuMDifcBb9kx1ONf3ZxM1cDOuaOH9k74scNj/hKjR4
71NL2X74nKryyMCfEDVJAkBnNWLEgKWYkrxsTsVTekcGadNaKvY1gud//gQJ1RCM
UfAX7wccENvVTU3DquarfXF639QjQ0k8CEj1W+dwa94K
-----END RSA PRIVATE KEY-----

3. Move these files to one location and secure the permissions. It is important to change the ownership of the private key file to the user which OpenLDAP is running as, otherwise slapd won't start.

# mv newerkey.pem /etc/openldap/ldap-key.pem
# mv newcert.pem /etc/openldap/ldap-cert.pem
# chown ldap:ldap /etc/openldap/ldap-key.pem
# chmod 600 /etc/openldap/ldap-key.pem

4. Get down to slapd configuration.

There are three necessary options we should specify in slapd.conf file.
TLSCipherSuite - defines what cryptographic algorithms the server is going to use. Possible values (if multiple are used, they are separated by a colon): HIGH, MEDIUM, +SSLv2, ...
TLSCertificateFile and TLSCertificateKeyFile - these are pretty much self explanatory.
You should append the following three lines to slapd.conf and restart the daemon:

[...]
TLSCipherSuite HIGH
TLSCertificateFile /etc/openldap/ldap-cert.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem

We should now enable slapd to listen on ldaps port (636). It can be done by passing '-h ldaps:///' to slapd while starting it, e.g. on GENTOO edit /etc/conf.d/slapd and type OPTS="-h ldaps:///". This will do the trick and the next time you restart slapd it will listen on ldaps only. If you extend the argument to "-h 'ldaps:/// ldap://'" it will listen on both ports 389 and 636.

5. Correct some lines in the ldap.conf on the client side.

An example follows.

##
# ldap.conf
##
SSL START_TLS
BASE dc=porta,dc=tux
HOST porta.tux
# If URI value is different than the CN on the certificate it may result
# in error (TLS: hostname does not match CN in peer certificate) in some configurations,
# when TLS_REQCERT is set to hard or is not specified at all.
URI ldaps://porta.tux/

TLS_CIPHER_SUITE HIGH
TLS_REQCERT allow

6. Check now if things work and if the connection is encrypted:

# tcpdump -i ath0 -Avvv tcp -s 1000
[...]
22:20:22.252954 IP (tos 0x0, ttl 64, id 11062, offset 0, flags [DF], proto: TCP (6), length: 1500) porta.tux.ldaps > princess-pc.tux.6376: . 2937:4385(1448) ack 517 win 108
E...+6@.@............|....I.9#.....l$......
.x)........Bn.e..EaP9}.... ".}W,=evN.i!{...`=,.W.W/[..MIy/._.Lp.;~.G...L.y...v.Eh.E....5m.T,:.. pR..Wqj.y..._..v...j]..H...t..>....IaV..-........P....=C...v......s*.....MS.
...
.NE.........]6.m.......b.\.c. ..Y...z5..Aco... J0.+.....[=4VHc......k....q..... a)IB....l..t.&.d...d.91..qgE..6.......l.f2....nq... ..!...D....A,.%4.XL..&..I..}..ETH..q..dx.Q..R.d....H)h.WFR.[..\...]J.k>..\v.jpHF...W..T...M..U*t...C.D......!.+,...7.....m.. .....p......y..?cj...;....J.....oZ]...&.r.!~.^....0/.....J#...^.N.1`....y.*..4Je"...............[...5.9B..;..g/g......Q4.ZH.=.....f.y.(...\Gl.=......=...AW..A.._..s.E.w}s.0...8}...
.._#(...vx.`ah...Q..CQC.X>..........F..o{U....O.i.B.....06"..r.e..
k^...V6..<&X.[...n........Q...mJ. f.w3.. _nt...C.Z.kv....Y.....J..{}...;+.E ..pI..c.#.;f6.dI..iP...>.u..^.i..f.e.|....s.-.2.X..;.d#..
[...]

That looks much better.

(Un)Setting rootdn and rootpw
rootdn comes by default in slapd.conf with a clear-text password. Keeping it this way is not the best idea, because:
- clear text passwords never are
- no ACLs apply to rootdn (in our case "cn=Manager,dc=porta,dc=tux") so it's a common practice to remove rootdn from slapd.conf and use regular accounts for introducing changes to the directory.
If you want to keep rootdn then changing the password should be done ASAP. This task can be accomplished with slappasswd program.

porta # slappasswd -s 's3(r3t' -h {SSHA}
{SSHA}HB7uA/XbtlVuDQ/ZF0jdJyWEe6E1jLc7

now ctrl+c, ctrl+v into slapd.conf
If you use slappasswd with -s option, make sure it does not stay in your .bash_history ...

0x03. [LPIC-301] LDAP - Entering data into OpenLDAP

2007-11-10T23:43:00.000Z

It's time to enrich the directory in data. We enter the data to the LDAP server with help of LDIF files. LDIF stands for LDAP Data Interchange Format. LDIF is described in detail in the following RFC documents: RFC2849, RFC4510, RFC4525.

The very first entry in the LDAP directory will be the top element of the Directory Information Tree, in my case dc=oozie,dc=tux.

##
# top.ldif
##
dn: dc=porta,dc=tux
dc: porta
objectClass: domain
objectClass: top

First line specifies the distinguished name for the LDAP suffix. Second line specifies the necessary attribute specified in 'domain' objectClass, line 3. Line 4. is mandatory according to RFC2256:

5.1. objectClass

The values of the objectClass attribute describe the kind of object
which an entry represents.  The objectClass attribute is present in
every entry, with at least two values.  One of the values is either
"top" or "alias"

We can feed our OpenLDAP server with the LDIF above. For this purpose I use slapadd command. You should remember, that slapd should not be running at this time, otherwise you can get an error message complaining about the database being in use. Prior to using slapadd perform /etc/init.d/slapd stop, and then...

root@porta.tux # slapadd -l top.ldif

root@porta.tux #

... should do the trick if there are no error messages.
root@porta.tux # /etc/init.d/slapd start
root@porta.tux # ldapsearch
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# porta.tux
dn: dc=porta,dc=tux
dc: porta
objectClass: domain
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

root@porta.tux #

Works fine.
We are now about to create a sample directory. As our OpenLDAP server is completely unsecure at this stage (clear text password and no encryption), data contained in the directory should be absolutely insensitive and non-confidential. Using cosine.schema, which contains the 'room' objectClass it's possible to create a directory of typical rooms one can come across in everyday life along with their descriptions. The full LDIF file with the directory can be found here [rooms.ldif]. A short snippet below:

####
# rooms.ldif by OOZIE
#
# As per section 3.8 in RFC4524, I use room objectClass to create a
# directory of typical room types.
#
# 3.8 [...]
#
# The 'room' object class is used to define entries representing rooms.
# The 'cn' (commonName) attribute SHOULD be used for naming
# entries of this object class.
#
# ( 0.9.2342.19200300.100.4.7 NAME 'room'
# SUP top STRUCTURAL
# MUST cn
# MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
#
# The 'top' object class is described in [RFC4512]. The 'cn',
# 'description', 'seeAlso', and 'telephoneNumber' attribute types are
# described in [RFC4519]. The 'roomNumber' attribute type is described
# in Section 2 of this document.
#
# [...]
#
####

dn: ou=rooms,dc=porta,dc=tux
ou: rooms
objectClass: organizationalUnit
objectClass: top

dn: cn=kitchen,ou=rooms,dc=porta,dc=tux
cn: kitchen
objectClass: top
objectClass: room
description: A kitchen, is a room or part of a room (sometimes called "kitchen area" or a "kitchenette") used for food preparation including cooking, and sometimes also for eating and entertaining guests, if the kitchen is large enough and designed to be used that way. (SOURCE: WIKIPEDIA)

dn: cn=living room,ou=rooms,dc=porta,dc=tux
cn: living room
objectClass: top
objectClass: room
description: A living room, also known as sitting room (especially in the UK), lounge room or lounge (in the United Kingdom and Australia), is a room for entertaining guests, reading, watching TV or other activities. The word Lounge is from the Latin, it was brought over later on by the French.

[...]

Previously we used slapadd on the local server with slapd turned off. Now we are going to add the entries from the LDIF file above on the client side while slapd is running on the server.

1. Copy /etc/openldap/ldap.conf or /etc/ldap.conf to the same location on the client.
2. Perform an anonymous search on the client with ldapsearch -x
3. If it works fine, use the following command with the parameters according to your slapd.conf in order to add room entries:

root@porta.tux # ldapadd -x -f rooms.ldif -D "cn=Manager,dc=porta,dc=tux" -w secret
adding new entry "cn=kitchen,ou=rooms,dc=porta,dc=tux"

adding new entry "cn=living room,ou=rooms,dc=porta,dc=tux"

adding new entry "cn=bathroom,ou=rooms,dc=porta,dc=tux"

adding new entry "cn=drawing room,ou=rooms,dc=porta,dc=tux"

adding new entry "cn=bedroom,ou=rooms,dc=porta,dc=tux"

adding new entry "cn=storage room,ou=rooms,dc=porta,dc=tux"

root@porta.tux #

... where -D specifies the rootdn from slapd.conf, what follows after -w is your password, -x tells to open a simple bind (no SASL), and -f tells ldapadd what LDIF file to get the data from.

At this point I have a working directory service and we can start searching through it.

0x02. [LPIC-301] LDAP - /etc/init.d/slapd start

2007-10-29T22:10:00.000Z

In order to start our new server we need to look into the servers configuration file, /etc/openldap/slapd.conf, and configure the base. You should think of:

base suffix for your directory, e.g. dc=oozie,dc=tux
which database backend you would like to use, e.g. bdb
a name for the person ruling the directory, so called rootdn, eg. Manager
a good password for rootdn

This is a very basic slapd.conf file:

##
# My slapd.conf
##
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
database bdb
suffix "dc=oozie,dc=tux"
rootdn "cn=Manager,dc=oozie,dc=tux"
rootpw secret
directory /var/lib/openldap-data
#
password-hash {CLEARTEXT}

Configure also your /etc/openldap/ldap.conf or /etc/ldap.conf accordingly. This is how I do it:

##
# My ldap.conf
##

BASE dc=oozie,dc=tux
HOST 192.168.1.2
URI ldap://192.168.1.2/

Right now, a command /etc/init.d/slapd start should generate some files in /var/lib/openldap-data directory and start OpenLDAP server. The slapd is running, but it's completely empty. If you try to search it through with ldapsearch, it should give you error (32) - No such object.

0x01. [LPIC-301] LDAP - Obtaining and building OpenLDAP

2007-10-22T00:26:00.000+01:00

0. Obtaining
According to OpenLDAP Admin Guide Version 2.3, you can obtain the software from the following locations:
HTTP: http://www.openldap.org/software/download/
FTP: ftp://ftp.openldap.org/pub/OpenLDAP

You can get the software in two main series: release and stable. What is the difference between "release" and "stable" versions? section on the projects website states:

The term "release", as used on the download web page [...] refers to the lastest version of the OpenLDAP Software available for "general use". The term "stable" refers to the last "general use" release that has demonstrated itself as being reliable in real world environments.

Before extracting the package, we should consider what are the requirements for the openLDAP. There is a number of packages that should be installed prior to building openLDAP. If you want to have an LDAPv3 compilant server then you should not forget about the following packages:

Transport Layer Security - http://www.openssl.org/
Kerberos - Either Heimdal or MIT Kerberos will do the trick.
Heimdal - http://www.pdc.kth.se/heimdal
MIT - http://web.mit.edu/kerberos/
Cyrus SASL - http://asg.web.cmu.edu/sasl/sasl-library.html
Database Software. Sleepycat -
http://www.sleepycat.com/download/
http://www.sleepycat.com/products/transactional.shtml
TCP Wrappers

I presume from now on, that you have already downloaded the tarball, checked the md5sum and extracted the software.

1. Configuring
It's always a good idea to start by reading the INSTALL file. I leave you to it. Here we will focus on the configure script, more precisely on it's optional-packages and SLAPD switches.
The script gives us a number of options for customization. It accepts the options in two ways:
- parameters like --with-tls, --enable-slurpd
- CC, CFLAGS, CPPFLAGS, LDFLAGS, LIBS, PATH can be accepted as environmental variables. We won't use this way here.

You use 'configure' to enable or disable features in your OpenLDAP build. The general rule for enabling a particular feature is to add --enable-FEATURE to the command prompt before hitting enter. There is a similar rule for disabling functionality. Type --disable-FEATURE or --enable-FEATURE=no in order to disable FEATURE.

The following features are enabled by default: debug, proctitle, slapd, cleartext, bdb, hdb, monitor, relay, syncprov.

If the system detects support for the following features, they are activated automatically: syslog, ipv6, local, rewrite, ldbm-api, ldbm-type, slurpd, cyrus-sasl, fetch, threads, tls, yielding-select, mp, odbc

For a little more detailed information try ./configure --help

2. Building
The whole build process takes four steps.
I. Configuration by running ./configure script, talked
II. Building dependencies by doing make depend
III. Building the executables by running make
IIIa. Optionally, you can run a test - make test. If you fail, review your configuration.
IV. Installing the software with make install with root privileges.

That's it.

0x00. [LPIC-301] Terms and definitions

2007-10-06T23:45:00.004+01:00

Before we start, it is a good idea to explain, at least briefly, some of the terms and definitions we need to know while preparing for LPI 301 examination. What you will find below is an extract from LPI 301 Detailed Objectives from the LPI website. I will put some more extensive explanations for the terms below as we go along with the material and also I will most likely modify this post a couple of times in order to extend the information included (or a total lack of information).

LDAP and X.500 concepts
The LPI 301 exam will require from us comprehensive knowledge about LDAP. Let's start with one frequently asked question: What is a "directory" and what's the difference between a directory and a database? In fact a directory is a specialized type of a database. Its main characteristic is that a directory is much more often read from or searched through rather than updated (written to). This allows a directory to specialize and optimize the search process. On the other hand a database can mostly hold an arbitrary data format, whereas a directory consists of objects, which are specialized data units. Classic examples of a directory are a phone book, an internal list of employees with all their personal data, or a book index in a library. Now, make sure you are also familiar with the following terms salad:

Directory service is a software solution which stores and organizes information about network users and resources and helps administrators manage them, e.g. by controlling these users' access to the resources.
Meta-Directory is a concept of a centralized directory containing all sorts of information, starting with personal data, authentication credentials, hardware listings, printer addresses, etc. By employing Metadirectories enterprises possibly save money and improve access control to resources. This article is a good reading if you are looking for more info.
X.500 standard is a set of protocols supporting directory services. It was invented in 1984 by International Telecommunication Union (CCITT). It consists of the following protocols: Directory Access Protocol, Directory System Protocol, Directory Information Shadowing Protocol, Directory Operational Bindings Managment Protocol. It was developed with 7-layer OSI model in mind, although it's possible nowadays to run it on TCP/IP as well.

LDAP stands for Lightweight Directory Access Protocol, because it's the 'lightweight' alternative to X.500 directory services. LDAP is based on the TCP/IP protocol. According to Wikipedia Tim Howes, Steve Kille and Wengyik Yeong started to work on LDAP in 1993. LDAP and X.500 are constructed on Directory Information Tree skeleton.

Directory Information Tree - is the fundamental data skeleton for both the X.500 and LDAP implementations. Like many other data structures in computing world this one is also represented as a tree. An example of such can be found here. LDAP information model in a tree is built of entries.
LDAP Entry - a directory entry that is a collection of attributes and has a unique Distinguished Name (DN)

Distinguished Name - a directory entry name in it's absolute form. DN consist of RDN (Relative Distinguished Names) and the parents entry distinguished name, e.g.
uid=foobar,ou=People,dc=company,dc=org,
where
green = RDN (it is distinguished within the organizational unit 'People')
green + cyan = DN (it is uniquely distinguished within the whole directory)
LDAP Attribute - a basic data structue, consisting of two parts, namely a pair of a type and value.
objectClass - is a special attribute that defines how a particular entry should look like, what attributes is it allowed to have and what syntax should be used in them. objectClasses are defined in schema files.
Schema Files are skeleton for LDAP entries. They contain object classes and attributes requirements used by different DNs. Schema files normally reside in the /etc/openldap/schema directory.
White Pages schema is a data model describing the organization of entries in a directory service. The name comes from the white pages in a telephone book which contain information about individuals, as opposed to yellow pages revealing information about companies. The entries are sorted according to individuals location, alphabetical order of their names, etc.

Capacity planning
Pretty Damn Quick (PDQ) is an open source version of performance diagnostics and capacity planing software. It's freely available for download from http://www.perfdynamics.com/ and CPAN as (PERL::PDQ). The software can predict the programs performance when under heavy load based on mathematical models.

Linux Professional Institute Certifications, Level 3

2007-10-02T23:50:00.000+01:00

Linux Professional Institute (http://www.lpi.org/) is a Linux certifying organization, officially founded in October 1999 in Canada. Their vendor-independent certifications have become popular and are acknowledged worldwide. We can read the following mission statement on LPI's website:

LPI shall promote and certify essential skills on Linux and Open Source technologies through the global delivery of comprehensive, top quality, vendor-independent exams.

Exams are held in partnered exam centers around the world. Each exam costs 125 Euro or $125 USD, depending on your location. There are three levels of certification, each consisting of two exams.

Level 1: 117-101 and 117-102 - cover basic skills for the Linux professional that are common across all distributions of Linux.
Level 117-201 and 117-202 - cover advanced skills for the Linux professional, also common across all distributions of Linux.
Level 3: 117-301 and 117-302 - test skills in authentication, troubleshooting, network integration and capacityplanning.

The first two levels are quite easy to pass, all it takes is just a thorough read and some practice. For both of them you can find a plenty of resources across the whole internet, including test simulations and cheat-sheets. It's not so easy with the 3rd level anymore...Within the last year I managed to pass four exams, thus challenging myself to pass the third level during the upcoming year. I am going to prepare myself by blogging about it here in hope that somebody can make use of the information published. I would like to encourage everybody to learn with me, leave feedback and/or interesting ideas. I've just enabled an RSS feed just in case anybody wants to subscribe.

The course starts next weekend.

Where does E220 sell best?

2007-09-01T22:20:00.002+01:00

I was looking at my blogs stats (August) and found them quite interesting. Click the picture on the left side to see a compact ranking of countries that use HUAWEI E220 - visitors of this website. The order is descending. Looks like every seventh visitor is from Austria, which has a population of (according to Wikipedia) around 8 308 906 people only. This makes Austria an absolute no. 1 in this ranking.

HUAWEI E220 Statistics interface

2007-06-28T16:53:00.002+01:00

Project moved to
http://pyhumod.googlecode.com/
http://PyHumod.ooz.ie/

HUAWEI E220 HSDPA 3G modem in Linux

2007-06-12T23:41:00.002+01:00

UPDATE: Try PyHumod, a Python Library that supports talking to Huawei modems

Since Friday the 8th of June I'm in possession of a HUAWEI E220 modem, which is natively supported by Linux kernel and works fine in this system. It has some issues in kernel versions prior to 2.6.20. Different people apply different workarounds; one guy for instance had spread a funny "technical gossip" on the Internet (which does not deserve to be quoted here) on how to enable the USB serial port and I was truly astonished, when I saw how many people had picked up and applied this "gossip thing" in deep belief that it REALLY helps. Well, anyway I would also like to share my magic spells with you.

I run a little project, it's a package which enables HUAWEI E220 HSDPA Modem on Linux distributions with Kernel prior to 2.6.20, but not only!!! Versions with newer kernel work too, but they probably do not require my UDEV rule. However, if your kernel is newer than 2.6.19, you can always take a look at the configuration files included, which will let you connect to the Internet within 3 minutes. (No exaggeration!)

DOWNLOAD

huawei.tar.bz2

Currently works fine with (tested on):
openSUSE 10.2
SUSE Linux 10.1
Fedora Core 6
Fedora Core 5
Ubuntu 7.04
Ubuntu 6.10
Ubuntu 6.06
Mandriva Free2007Spring

The package includes configuration files for wvdial and pppd!!!

More to come.

Feedback in any form is very welcome.

Troubleshooting wireless adapters in Novell TEAM

2007-06-11T11:40:00.000+01:00

On 25th of May and a week later, on the 1st of June, I had a great pleasure of delivering a brief training on troubleshooting WiFi cards for openSUSE Support Team in Dublin. We went through the process of installing drivers and firmware for various adapters, afterwards we performed a proof of concept on how easily crackable a 128bit WEP encryption is. For that we used aircrack-ng suite strengthened by aircrack-ptw.

The short presentation in ODP format can be found here.

oozie's blog

Inspiration for veggie meals

Learn natural English with daily Collocations

Python issublist()

http://rozhlas.ooz.ie/ - Český Rozhlas live stream czech

A Finite State Machine module for Python

Python exec module in namespace, an importless import.

Google Questions SOAP service

A circular graph of Python 2.7 Types.

Python logging: extending standard logger by custom debug levels.

http://sole.ooz.ie/ - Solving Systems of linear equations

Transpositions in Sicilian Defense

Finding all successors of a node with pygraphviz

http://huffman.ooz.ie/ - Huffman Tree Generator

PeopleAsk.ooz.ie - A fresh blend of top-most questions to Google

Command line BBC news reader.

Python code to recognize a color of a chessboard square

Colorful output in expect.

Network Security with OpenSSL - exercises.

Install encrypted Gentoo in no time.

Timestamp converter powered by Google AppEngine

sms_exec.py - SMS controlled POSIX machine.

PyHumod 0.01 beta is out!

Installation

Basic usage

Find Huawei interfaces on Linux

Cloud Computing - Another paper from Sun Microsystems

Listening to technical presentations.

Virtualization for Dummies from AMD and Sun.

Thoughts on troubleshooting methodology...

IPv6 on Gentoo.

IPv6 Google Search Firefox Plugin

A simple javascript test for IPv6 connectivity.

Trivial encryption with coreutils

% percent string formatting in Python

[0x04]. Notes on Assembly - The fairytale of an x86 CPU

[0x03]. Notes on Assembly - Memory from a process' point of view

[0x02]. Notes on Assembly - Acquainting oneself with the Memory

[0x01]. Notes on Assembly - AT&T vs Intel syntax

[0x00]. Notes on Assembly - Basic Terms

0x08. [LPIC-302] LPIC 117-302 online exam simulation (yes, for free)

0x07. [LPIC-302] Security and Performance

Linux File System and Share/Service PermissionsCandidates should understand file permissions on a Linux file system in a mixed environment

Note

Samba SecurityCandidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves

Performance TuningCandidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance

0x06. [LPIC-302] Working with CIFS, NetBIOS, and Active Directory

CIFS IntegrationCandidates should be comfortable working with CIFS in a mixed environment

NetBIOS and WINSCandidates should be familiar with NetBIOS/WINS concepts and understand network browsing

Integrating with Active DirectoryCandidates should be able to integrate Linux servers into an environment where Active Directory is present

Working with Windows Clients / know your enemyClients should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers

0x05. [LPIC-302] User and Group Management

Managing User Accounts and GroupsCandidates should be able to manage user and group accounts in a mixed environment

Authentication and Authorization Candidates should understand the various authentication mechanisms and configure access control

0x04. [LPIC-302] Samba Advanced Config - DCs, SWAT and Internationalization

Domain Control

SWAT Configuration

InternalizationCandidates should be able to work with internationalization character codes and code pages

0x03. [LPIC-302] Samba Basic Config - file and printer shares

Configuring File Sharing Services

0x02. [LPIC-302] Samba - introduction to basic configuration

0x01. [LPIC-302] Samba configuration and compilation from source

0x00. [LPIC-302] Samba/CIFS - Terms glossary

bash kick - A quick way to get rid of unwanted users from the system.

Encrypted root & swap partitions on Gentoo with cryptsetup (LUKS) in less than an hour!

0x0F. [LPIC-301] Capacity Planning - Predict Future Resource Needs

0x0E. [LPIC-301] Capacity Planning - Analyze Demand

0x0D. [LPIC-301] Capacity Planning - Troubleshoot Resource Problems

0x0C. [LPIC-301] Capacity Planning - Measure Resource Usage

0x0B. [LPIC-301] LDAP - Development

0x0A. [LPIC-301] LDAP - Integration

0x09. [LPIC-301] LDAP - Directory performance tuning

0x08. [LPIC-301] LDAP - OpenLDAP customizing - schema files

0x07. [LPIC-301] LDAP - Directory replication

0x06. [LPIC-301] LDAP - Tightening security

0x05. [LPIC-301] LDAP - make use of LDAP: nss_ldap and pam_ldap

0x04. [LPIC-301] LDAP - Secure your directory

0x03. [LPIC-301] LDAP - Entering data into OpenLDAP

0x02. [LPIC-301] LDAP - /etc/init.d/slapd start

0x01. [LPIC-301] LDAP - Obtaining and building OpenLDAP

Linux File System and Share/Service Permissions
Candidates should understand file permissions on a Linux file system in a mixed environment

Samba Security
Candidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves

Performance Tuning
Candidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance

CIFS Integration
Candidates should be comfortable working with CIFS in a mixed environment

NetBIOS and WINS
Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing

Integrating with Active Directory
Candidates should be able to integrate Linux servers into an environment where Active Directory is present

Working with Windows Clients / know your enemy
Clients should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers

Managing User Accounts and Groups
Candidates should be able to manage user and group accounts in a mixed environment

Authentication and Authorization
Candidates should understand the various authentication mechanisms and configure access control

Internalization
Candidates should be able to work with internationalization character codes and code pages