Rob Golding

For a while now, I’ve been using Subversion to keep track of personal projects and coursework at university. SVN is installed on the UNIX servers as Computer Science, so it’s a relatively trivial process to get up and running with a repository when I start a new assignment.

Recently though, I’ve been looking in to Mercurial as a more modern alternative. Some things about Subversion are really starting to annoy me, like the inability to ignore files on a repository-wide level easily (I work with Python all the time, so .pyc files can really get on my nerves!). Mercurial seems slicker, and I’m interested in the concept of DVCS, as opposed to the classic client-server way of thinking.

However, Mercurial is not installed on the (rather ancient, now) Solaris servers at university. I really admire the job that the sysadmins do, so I am in no way condemning them for it not being installed. Instead, I set out to get it compiled and working myself.

Installing it on the servers, it seemed, was the easy part. I followed the installation instructions (making sure to include the LD_LIBRARY_PATH variable) and all was well.

Cloning from the server, however, wasn’t so easy. The problem lies in the fact that Mercurial is now installed for me, and me alone. The hg binary lives in my home directory, not on the server’s main path (i.e. the /usr/bin/ directory). Therefore, I needed to tell the client exactly what command to run on the server. If anyone else is having the same trouble, the command that I finally came up with looks like this:

hg –config ui.remotecmd=”LD_LIBRARY_PATH=/usr/sfw/lib PYTHONPATH=~/lib/python ~/bin/hg”

I then aliased this command to hgtuck to save my sanity (the server is named tuck, after Friar Tuck in the Robin Hood legends), and I now have a perfectly working Mercurial install!

If anyone else is looking to do something similar, then I hope this little tip saves you some time!

For our last coursework (which was for a really interesting compilers module), I chose to present my answers in LaTeX. It’s been a very steep learning curve, but I’m extremely happy with the results. I don’t even mind the slight drop in productivity that’s caused by my uncontrollable urge to stop and admire my document every so often! One thing that had me stuck for a while, however, was the automatic section numbering system.

To answer the questions for the compilers coursework, I wanted my sections to be numbered (1, 2, 3), my subsections to be numbered (a, b, c), and my subsubsections to be numbered (i, ii, iii). This numbering pattern matches that which is given in the question paper, whereby a number of nested enumerates were used. The default LaTeX section numbering however is (1, 1.1, 1.1.1). I finally found a way to alter this default behaviour by using the following code in the preamble:

\renewcommand{\thesubsection}{(\alph{subsection})}

\renewcommand{\thesubsubsection}{\roman{subsection}.}

This code modifies the way that the counters for subsections and subsubsections are printed (section counters are correct when left at the default).

I hope this saves someone even the few minutes it took me to work this out, once I’d applied some logic! It’s very useful to know that LaTeX has a counter for everything. This particular post was very helpful in working out which ones to alter, and how.

Recently, I’ve been doing a lot of work trying to integrate Linux & Windows machines on a single network. The project begun with a need to allow windows users access to file shares using Samba, and Linux users access to the same data using NFS. As you may know, Samba (or more specifically the SMB protocol) uses a username/password combination to authenticate users, while NFS uses user IDs and group IDs (UIDs & GIDs) on the local machines to achieve the same end. Therefore, I needed a way to consistently authenticate Windows domain users on Linux machines, whilst maintaining a consistent conversion from SID -> UID, and vice-versa.

Domain authentication can be achieved relatively simply, by using either Winbind (part of the Samba project) or the new kid on the block, Likewise. Likewise-Open offers a simple procedure for joining domains, and the new version comes packaged with it’s own version of Kerberos. It also hashes the Windows SID into a UNIX UID in a consistent manner – so the UIDs are always the same across your entire environment. Sounds perfect, right? Well, no. Not quite. The problem with Likewise-Open, is that it’s difficult to integrate with Samba. Though it does ship with a “compatibility module” called lwi_compat, which allows Samba to hook into Likewise’s authentication module, I found this quite difficult to get working, and I only achieved partial success through guesswork – as the documentation didn’t actually help much, given they only officially support Samba 3.0.x (while Ubuntu now uses 3.3.x). When I did get it going, however, it only recognised the Windows users’ primary group, not any of the other groups they were members of. This meant that my (possibly overly) complex system of ACLs and user directories just didn’t work at all. So, on to Plan B…

When I read through the short (but sweet) Ubuntu Wiki article entitled ActiveDirectoryWinbindHowto, I felt like somewhat of a fool after reading a small, illusive section called Adding more than one Linux machine to a Windows network. Bingo! This section described a problem whereby the traditional Winbind domain authentication method would lead to inconsistent UIDs across the network, and thus cause headaches when trying to achieve anything like what I was aiming for. It suggested using a method of mapping SIDs to UIDs called RID. I assume this stands for Relative ID, which is another kind of ID Active Directory uses to track users within a domain. These can possibly clash from domain to domain, so it is advised not to use this method when your network contains a trust between multiple Windows domains, but for the simpler setup (like my own) it’s a godsend.

This meant that I could use RID mapping within Winbind, which is part of Samba itself (so no troubles integrating those two), and achieve a consistent SID-UID mapping scheme across the network, allowing me to finally enable access to the file shares via. NFS. Amazingly, NFS “Just Worked” straight away, and I’ve written some nice wrapper programs around chown, getfacl and setfacl to set the correct owner and permissions on entire directory trees, which saves a lot of time when your UIDs are changing as often as mine were! I’m also using autofs to automatically map user’s home directories on the Linux machines, which has proven itself to be very useful. I just used static fstab entries to map the other “general” file shares, like software and media – as I couldn’t seem to get autofs direct maps working (apparently they are only partially working in Ubuntu anyway, but it seems as though they are completely broken to me).

On a side note, I’ve also just finished developing a Python-based rsync backup program, which allows me to write a _very_ small script to backup remote servers using rsync over SSH, and tar up the contents of all the servers into one archive. This is really useful, as I have a lot of disparate locations on different servers that all need to be pulled onto the backup drive every night. Now though, I should really concentrate on some revision for the exams I have after Christmas!

Happy holidays, everyone! (That’s Merry Christmas and a happy new year, but just between you and me).

The country has just undergone a mass-exodus of university students from their parents’ houses back into halls. I played by own small part in blocking up the roads moving back into university accommodation this weekend, and it’s all gearing up for the new school year.

I’ve been working with Django more and more lately, and I’ve written my first “commercial” application using my new favourite framework – a booking system for taught causes at the City Council. I’m really enjoying writing web applications with Django, and I’m sure this blog will start to resemble a web-developer’s in the near future.

Also, I’m really looking forward to this year at university. As I understand it, there’s a lot more work to be done, but the software engineering group project should be fun – as long as my “randomly chosen” team are happy with us using Python!

Over the past week, I’ve been upgrading my e-mail system to Exchange 2007 (I was previously using Exchange ‘03). For me, it’s very useful to have the systems that I write about, and consult for, installed at home in a “semi-production” manner. It means that I have a system to work on, and I am concerned with keeping it up and running as smoothly as possible – which introduces me to intricacies that I would not otherwise encounter, if I were just running a little test lab.

For example, when setting up Outlook Anywhere (the rebranded RPC/HTTP feature of Exchange, allowing Outlook users to connect from outside the organisation) I discovered a lot of “Sync Issues” appearing in my Inbox. The messages all had a common theme:

11:19:07 Synchronizer Version 12.0.6315
11:19:07 Synchronizing Mailbox ‘User’
11:19:07 Synchronizing Hierarchy
11:19:07 Done
11:19:09 Microsoft Exchange offline address book
11:19:09              Not downloading Offline address book files.  A server (URL) could not be located.
11:19:09       0X8004010F

Clearly, something was wrong with the Offline Address Book. I was only getting these messages when using Outlook Anywhere, however, so this issue was obviously specific to RPC/HTTP.

Looking up the error code, I found that the problem I was experiencing was very common, but that nowhere seemed to have the ultimate repair. The information available was sparse, and I had to put together my own solution – which I will document below.

First, I registered an extra DNS (A) record for my email domain, called “autodiscover”. I must be clear here, that this is for the mail domain, not for the domain used to access your OWA site. For example (and we’ll go with the Microsoft classic here), if your users have addresses such as user1@contoso.com, user2@contoso.com and you access your OWA via https://mail.contoso.com/owa, then you need to register an A record for autodiscover.contoso.com.

Next, I prepared a new certificate request, that would hopefully end up with me obtaining a certificate that I could use to replace the current one, which would be valid for both mail.contoso.com and autodiscover.contoso.com (to continue with our example) – so that my Outlook clients could successfully access the autodiscover service, and download the OAB. To do this, I used the following EMS command:

New-ExchangeCertificate -domainname mail.contoso.com, exchange.contoso.local, autodiscover.contoso.com -Friendlyname “Contoso Exchange CAS SAN Certificate” -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname “c=GB o=contoso inc, CN=mail.contoso.com”

This command requires a little explanation. The -domainname switch is used to specify a list of addresses for which this server is valid. This is called a SAN (Subject Alternative Name). Not all CA’s support SANs, but Windows Server 2008’s CA Services does, which I will come back to later. Next, we give the certificate a “Friendly Name”, which is just a reference for you, the administrator. Then we specify that we are looking to generate and save a request, and that we want to be able to export the private key. The Subject Name is important, but also slightly confusing. You must specify your country code (US, GB, ES), your organisation name, and Common Name (CN) – which is the most important one. This must be the URL used to access the SSL service using a web browser, so mine was mail.contoso.com.

Once this request is saved, I passed it on to my CA to get the certificate issued. If you’re using a 3rd party CA (like VeriSign), then you’ll have to check first whether they support SANs. I use self-signed certificates, and my CA is running Windows Server 2008, which does support SANs, so I issued the request internally. This is done by accessing the CertSrv website, at http://servername/certsrv, and clicking the “Request a Certificate” link. Then, I chose “Advanced Request”, and pasted the reqest file’s contents into the box, and picked the “Web Server” template.

This presented me with a downloadable certificate, which I saved locally in CER format on the exchange server. Then I used the following command to import the certificate:

Import-ExchangeCertificate –path <certificate>

Once the certificate was imported, I enabled it for use with exchange. A similar command is used for this:

Enable-ExchangeCertificate

This prompted for a list of services, where I entered IMAP, IIS, SMTP as these are the default installed services. Only IIS actually gets used here, so I shouldn’t worry too much about this one. If you’re not sure, then just enter the same as me. Lastly, it asked for a thumbprint, which I copied and pasted from the output of the import command. Finally, after accepting the confirmation, the certificate was enabled.

And that was it. Both OWA and Outlook Anywhere are now working perfectly, and hopefully this post will help at least one other lost soul with the same problem!

I just finished my last exam today – Web Programming and Scripting – which explains the distinct lack of activity around here in recent times. Thankfully I could end my exam season on a high, as web programming is, well, what I do – so it wasn’t too much of a challenge!

Something strange happens to me every time exams come around. I seem to pick up new projects, and just run with them. This time, I’ve become involved with a small group of people at university, writing a portal-style information system for universities. I suppose most people call this behavior procrastination, but I’m quite deeply in denial about that.

Ever since my post about the Backtrac Backup System, I’ve been really enjoying using Django. Something about it just makes developing for the web, well, exciting. That can only be good, right? I am the designated server administrator for this latest project, mostly due to the fact that I am the only one with a server to administer, and some of the things I’ve learned so far seem worthy of a mention here.  Firstly, we as developers were – how can I put it – stepping on each other toes somewhat. The project at this point had no version control, so we were just editing a bunch of files over SFTP. Obviously, some sort of Source Control Management was in order. I did some research, and decided that Git was a nice, modern alternative to the ever-popular SVN. It also meant that my server was constantly backed up by everyone on the team – but that’s just a bonus!

So, I installed Git, and started a repository. A lot of effort went into learning how the system works, and more importantly, how to make it work for us. Directed Acyclic Graphs thankfully made some sense to me, so I could just about understance the documentation. I wrote some custom hooks, and a C Program to syncronise the web-server. I was happy, and absolutely certain that this was the solution to all our woes. I was mistaken. Git just didn’t work the way I had hoped. The custom hooks were throwing permission errors all over the place, and my development team (read: my friend Rob Miles) was locked out of the repository. We made the decision yesterday to scrap Git, and go back to the previous system of editing the files over SFTP. We are always in constant communication when developing for the project, so it’s not too big a deal, but I feel that I failed as an adminisrator. You see, as an admin your job isn’t just to play with cool toys and loud servers – your primary purpose is to give the users what they need to work, and that is most certainly not what I achieved.

I’m glad I took the time to learn Git – and I’m sure it will help me later in life, in some way or another. It’s just unfortunate that it didn’t work out the way I had hoped for our project.

As a sort of follow-on from my last post, I thought I’d write a little about the latest little addition to my system – roaming Firefox profiles. This is something I had always considered to be almost impossible to achieve, without complicated logon and logoff scripts that syncronise the correct folder(s) to give the same effect as a ‘redirected’ profile. Well I discovered a much easier way to achieve actual *real* profile redirection, when browsing around the features offered by Group Policy Client Side Extensions.

The basic idea is that Firefox has a file called profiles.ini, which takes care of all the configured profiles, and where they are stored. I used this file to change the default profile location to within the user’s home directory on the file server. I had to use a home drive, mapped to the root of my users’ folder redirection directory on the server, as I presumed UNC paths were unsupported in the .ini file. I did this with a GP Preference drive map using the %USERNAME% variable, and an amazing feature of GP Preferences – parsing and even altering ini files. You can specify which section of the ini file you are interested in, and which key you want changing. How useful! My policy looks like this:

You can probably work out what’s going on here, but I’ll give a quick overview. Basically, you specify the ini file to edit – in this case it’s %APPDATA%\Mozilla\Firefox\profiles.ini. Using the %APPDATA% variable means that it will always resolve to the correct location in the user’s local profile, whether they are on XP or Vista. Then we specify the section of the ini file – I’m interested in Profile0. This is the only profile present by default, but allows users to have multiple profiles if they wish without overwiting their settings when they log off. Finally, you specify the key to change, and what to change it to. I rename the default profile to Firefox, and change it’s location to H:\Firefox. Also, this path is not relative, so I have to change IsRelative to 0.

OK, so now we have the Firefox profile location sorted, we need to make sure that folder exists – or Firefox will just overwrite our changes and make it’s own folder in the default location. It’s easy to use GP Preferences for this as well – as there’s a Folders preference category. So I just made a new folders preference for \\zeus\UserData\%USERNAME%\Firefox, with the action of create (zeus is my main DC and File Server). I used the UNC path to be sure that the folder is created, even if the drive map hadn’t come into effect when this preference was applied. Also, a little trick I had to pull here was ticking the checkbox titled Run in logged-on user’s security context on the common tab. This is because only the user has permissions on their home directory, so this preference needed to run in the context of that user for it to work successfully (without access denied errors).

Once this was finished, the system started to work flawlessly. I copied the contents of existing Firefox profiles to the newly created directories, and they were picked up by Firefox with no problems. New users get blank profiles as expected, but they are stored on the file server instead of the local machine. One little issue I have encountered is that a user can’t logon at more than one machine, and start Firefox – as the program can’t lock particular files in the profile. This just results in a message saying this Firefox is already running though, which is pretty much correct (and I can’t see why this would ever cause problems for the user).

The last trick I employed, to make things a little speedier and to reduce uneccesary file server traffic, was to disable disk caching on the roaming Firefox profiles. To do this, I used a file policy in GP Preferences to copy a tiny user.js (Firefox’s preference file override) which contained only one line:

user_pref(“browser.cache.disk.enable”, false);

This turns off disk caching completely, which will not only save space on the file server, but should speed things up as well. I hosted this file elsewhere on the file server, and told the file policy to simply copy it into place, within the user’s Firefox profile. Here’s the preference:

So there you have it, my technique for enabling roaming Firefox profiles. If you’ve achieved the same through a different method, or have any ideas on this this could be improved, then I’d love to hear how – feel free to comment on this post.

Thanks to the MSDNAA program, I’m able to try out the latest version of Windows Server in the lab. I opted to migrate my domain accross to a new machine, instead of performing an in-place upgrade. Personally I feel this is a much safer bet, and tend to migrate domain controllers whenever I’m doing something pretty major to a DC.

So far everything looks good, I’ve upped the forest and domain functional level to Server 2008, so I can now take advantage of some of the new features – though I’m yet to find out what they all are! The best thing so far (by a mile I’d like to add) is the addition of Group Policy Preferences. Although it’s annoying having to install the Client-Side Extensions on every machine in the domain (that is if WSUS isn’t in use), the gains faw outweigh this bit of pain. I only wish an MSI could have been released, so that it could easily be pushed out using the existing Group Policy infrastructure. Never mind, eh?

Anyway, on with the good! The new GP Preferences allow an administrator to define, amongst others, drive maps for client machines, printer connections and power options. As you may be thinking, this just about does away with the need for logon scripts! Most, if not all of the common tasks that are performed with logon scripts can now be done from a group policy object.

There are also a lot of changes to the way Active Directory works. In Server 2008, Active Directory Domain Services can be installed on a machine, without actually making it a DC. What this means is that a standard server build can be ’sysprepped’ with the files required for promoting the server to a DC, without actually doing the promotion. Also, Read-Only Domain Controllers (RODCs) have been introduced as a new feature. Essentially, an RODC just caches queries from a normal DC, usually located at another site – apparently allowing for faster logon times at remote sites with slow links. After discussion with a colleague, however, the benefits of such a system are maybe not quite as advertised. For example, only one RODC can be installed per site – so larger sites can’t benefit from the redundancy and load balancing offered by multiple DCs, if RODCs are used. Also, the much-touted security advantages of using an RODC aren’t as they seem either, as the database can be just as easily written to, just through another “normal” DC.

More on this later!

My life has been pretty busy as of late, mostly with a new project I am working on called BackTrac. I am developing a network backup solution, written entirely in Python – using the Django framework as a front-end web interface.This came at quite a good time, as I’ve been asked to give a presentation on any highly technical topic, on which I know my stuff. The plan is to use BackTrac as a base, and to explain the technical concepts behind the system that make it work. The things I am going on concentrate on are:

• Pyhon in general
• XML-RPC
• Filesystem hardlinks
• The MVC concept, and Django

This should be enough content to fill a 15-minute slot, I hope.

Now I’ll explain a little bit about how BackTrac works, for the benefit of those not coming to the presentation.

What I wanted to achieve with BackTrac was a smart backup system, that doesn’t necessarily have to be the fastest. I wanted a very detailed web interface, with scheduling capabilities and log view. I decided on Django for this, seeing as I had already decided on Python for the system itself.

The nodes in the system use XML-RPC to communicate, and SMB for the actual file-copying. The real bonus of this system is that it takes advantage of a little-understood feature, present in most modern filesystems, called hardlinks. Hardlinks enable the user to essentially point to the same piece of data on a disk from more than one position. Essentially the concept is that if a file has been backed up before, why back it up again? Just create a link or “shortcut” (a hardlink) to the previously backed-up file. This is the basis for BackTrac.

Also, Django is turning out to be a real treat. This is the first time I have used an MVC like Django, and I’m really enjoying it. Web development is exciting again! I do agree with one point however, that Django makes the easy things easy, and the hard things impossible. Not quite impossible in my case, but I’ve had to do some pretty strange things to get Django to do what I want.

Finally, I’ve had the BackTrac project approved on Sourceforge.net, so watch out – I’ll be doing the initial import soon and getting some web content online. First though, I have to decide on the best way to distribute the application. This is a bit more complicated than it might otherwise be, because there are three different aspects of the system – the client application, the server application, and the Django project. On this topic or any other, as usual, opinions are most welcome.

To go with the recent network upgrades and anti-spam system, I have been working on a new way to back all this information up. The solution I’ve come up with is surprisingly simple: VSS Snapshots with Robocopy to mirror the changes. The basic idea is that the backup script creates a Volume Shadow Copy Service Snapshot, and “exposes” (mounts) the snapshot with an unused drive letter. Robocopy then mirrors the contents of this snapshot to the backup drive, allowing even files that are locked to be backed up. Add in a bit of error-checking and status emails, and we have a pretty solid backup system. I’ll run through the details below.

To create the VSS snapshot, I used a script sourced from an MSDN blog called CreateShadow, which I modified slightly to suit my purpose. I had it keep the temporary variables script, so I could use it later on (once the backup has finished) to delete the snapshot.

Once the snapshot is created and exposed, I used Robocopy with the mirror (/MIR) switch, to copy the contents to the backup drive. It just so happens that the backup drive is connected to a Samba server running on Ubuntu. This meant that I ran into a problem with timestamps whereby files were always classified as “newer”, even if they hadn’t changed at all since the last run. I fixed this by using the Fat File Times (/FFT) switch which gives a 2-second granularity on the timestamp of files, which solved the issue straight away.

The backup having completed, the script calls the temporary variables script generated by the CreateShadow script, to reinstate the snapshot ID, which is then used to remove the shadow copy cleanly.

In theory, this is an extremely efficient and robust backup system – not to mention being completely free of any licence fees. I may improve it in the future by adding functionality with multiple backup sets – at the moment I only have one day to recover from any accidental deletions – barring the previous versions.

One thing I am stuggling with at present, however, is the fact that when the backup runs under scheduled task at 3am, a number of files throw access denied errors – namely any files or directories with special characters. This is a particularly strange issue as the process works flawlessly when launched manually. I am still trying to solve the issue, but I’ll be sure to post an update if and when I find the solution.