Rob Golding

For our last coursework (which was for a really interesting compilers module), I chose to present my answers in LaTeX. It’s been a very steep learning curve, but I’m extremely happy with the results. I don’t even mind the slight drop in productivity that’s caused by my uncontrollable urge to stop and admire my document every so often! One thing that had me stuck for a while, however, was the automatic section numbering system.

To answer the questions for the compilers coursework, I wanted my sections to be numbered (1, 2, 3), my subsections to be numbered (a, b, c), and my subsubsections to be numbered (i, ii, iii). This numbering pattern matches that which is given in the question paper, whereby a number of nested enumerates were used. The default LaTeX section numbering however is (1, 1.1, 1.1.1). I finally found a way to alter this default behaviour by using the following code in the preamble:

\renewcommand{\thesubsection}{(\alph{subsection})}

\renewcommand{\thesubsubsection}{\roman{subsection}.}

This code modifies the way that the counters for subsections and subsubsections are printed (section counters are correct when left at the default).

I hope this saves someone even the few minutes it took me to work this out, once I’d applied some logic! It’s very useful to know that LaTeX has a counter for everything. This particular post was very helpful in working out which ones to alter, and how.

Recently, I’ve been doing a lot of work trying to integrate Linux & Windows machines on a single network. The project begun with a need to allow windows users access to file shares using Samba, and Linux users access to the same data using NFS. As you may know, Samba (or more specifically the SMB protocol) uses a username/password combination to authenticate users, while NFS uses user IDs and group IDs (UIDs & GIDs) on the local machines to achieve the same end. Therefore, I needed a way to consistently authenticate Windows domain users on Linux machines, whilst maintaining a consistent conversion from SID -> UID, and vice-versa.

Domain authentication can be achieved relatively simply, by using either Winbind (part of the Samba project) or the new kid on the block, Likewise. Likewise-Open offers a simple procedure for joining domains, and the new version comes packaged with it’s own version of Kerberos. It also hashes the Windows SID into a UNIX UID in a consistent manner – so the UIDs are always the same across your entire environment. Sounds perfect, right? Well, no. Not quite. The problem with Likewise-Open, is that it’s difficult to integrate with Samba. Though it does ship with a “compatibility module” called lwi_compat, which allows Samba to hook into Likewise’s authentication module, I found this quite difficult to get working, and I only achieved partial success through guesswork – as the documentation didn’t actually help much, given they only officially support Samba 3.0.x (while Ubuntu now uses 3.3.x). When I did get it going, however, it only recognised the Windows users’ primary group, not any of the other groups they were members of. This meant that my (possibly overly) complex system of ACLs and user directories just didn’t work at all. So, on to Plan B…

When I read through the short (but sweet) Ubuntu Wiki article entitled ActiveDirectoryWinbindHowto, I felt like somewhat of a fool after reading a small, illusive section called Adding more than one Linux machine to a Windows network. Bingo! This section described a problem whereby the traditional Winbind domain authentication method would lead to inconsistent UIDs across the network, and thus cause headaches when trying to achieve anything like what I was aiming for. It suggested using a method of mapping SIDs to UIDs called RID. I assume this stands for Relative ID, which is another kind of ID Active Directory uses to track users within a domain. These can possibly clash from domain to domain, so it is advised not to use this method when your network contains a trust between multiple Windows domains, but for the simpler setup (like my own) it’s a godsend.

This meant that I could use RID mapping within Winbind, which is part of Samba itself (so no troubles integrating those two), and achieve a consistent SID-UID mapping scheme across the network, allowing me to finally enable access to the file shares via. NFS. Amazingly, NFS “Just Worked” straight away, and I’ve written some nice wrapper programs around chown, getfacl and setfacl to set the correct owner and permissions on entire directory trees, which saves a lot of time when your UIDs are changing as often as mine were! I’m also using autofs to automatically map user’s home directories on the Linux machines, which has proven itself to be very useful. I just used static fstab entries to map the other “general” file shares, like software and media – as I couldn’t seem to get autofs direct maps working (apparently they are only partially working in Ubuntu anyway, but it seems as though they are completely broken to me).

On a side note, I’ve also just finished developing a Python-based rsync backup program, which allows me to write a _very_ small script to backup remote servers using rsync over SSH, and tar up the contents of all the servers into one archive. This is really useful, as I have a lot of disparate locations on different servers that all need to be pulled onto the backup drive every night. Now though, I should really concentrate on some revision for the exams I have after Christmas!

Happy holidays, everyone! (That’s Merry Christmas and a happy new year, but just between you and me).

Over the past week, I’ve been upgrading my e-mail system to Exchange 2007 (I was previously using Exchange ‘03). For me, it’s very useful to have the systems that I write about, and consult for, installed at home in a “semi-production” manner. It means that I have a system to work on, and I am concerned with keeping it up and running as smoothly as possible – which introduces me to intricacies that I would not otherwise encounter, if I were just running a little test lab.

For example, when setting up Outlook Anywhere (the rebranded RPC/HTTP feature of Exchange, allowing Outlook users to connect from outside the organisation) I discovered a lot of “Sync Issues” appearing in my Inbox. The messages all had a common theme:

11:19:07 Synchronizer Version 12.0.6315
11:19:07 Synchronizing Mailbox ‘User’
11:19:07 Synchronizing Hierarchy
11:19:07 Done
11:19:09 Microsoft Exchange offline address book
11:19:09              Not downloading Offline address book files.  A server (URL) could not be located.
11:19:09       0X8004010F

Clearly, something was wrong with the Offline Address Book. I was only getting these messages when using Outlook Anywhere, however, so this issue was obviously specific to RPC/HTTP.

Looking up the error code, I found that the problem I was experiencing was very common, but that nowhere seemed to have the ultimate repair. The information available was sparse, and I had to put together my own solution – which I will document below.

First, I registered an extra DNS (A) record for my email domain, called “autodiscover”. I must be clear here, that this is for the mail domain, not for the domain used to access your OWA site. For example (and we’ll go with the Microsoft classic here), if your users have addresses such as user1@contoso.com, user2@contoso.com and you access your OWA via https://mail.contoso.com/owa, then you need to register an A record for autodiscover.contoso.com.

Next, I prepared a new certificate request, that would hopefully end up with me obtaining a certificate that I could use to replace the current one, which would be valid for both mail.contoso.com and autodiscover.contoso.com (to continue with our example) – so that my Outlook clients could successfully access the autodiscover service, and download the OAB. To do this, I used the following EMS command:

New-ExchangeCertificate -domainname mail.contoso.com, exchange.contoso.local, autodiscover.contoso.com -Friendlyname “Contoso Exchange CAS SAN Certificate” -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname “c=GB o=contoso inc, CN=mail.contoso.com”

This command requires a little explanation. The -domainname switch is used to specify a list of addresses for which this server is valid. This is called a SAN (Subject Alternative Name). Not all CA’s support SANs, but Windows Server 2008’s CA Services does, which I will come back to later. Next, we give the certificate a “Friendly Name”, which is just a reference for you, the administrator. Then we specify that we are looking to generate and save a request, and that we want to be able to export the private key. The Subject Name is important, but also slightly confusing. You must specify your country code (US, GB, ES), your organisation name, and Common Name (CN) – which is the most important one. This must be the URL used to access the SSL service using a web browser, so mine was mail.contoso.com.

Once this request is saved, I passed it on to my CA to get the certificate issued. If you’re using a 3rd party CA (like VeriSign), then you’ll have to check first whether they support SANs. I use self-signed certificates, and my CA is running Windows Server 2008, which does support SANs, so I issued the request internally. This is done by accessing the CertSrv website, at http://servername/certsrv, and clicking the “Request a Certificate” link. Then, I chose “Advanced Request”, and pasted the reqest file’s contents into the box, and picked the “Web Server” template.

This presented me with a downloadable certificate, which I saved locally in CER format on the exchange server. Then I used the following command to import the certificate:

Import-ExchangeCertificate –path <certificate>

Once the certificate was imported, I enabled it for use with exchange. A similar command is used for this:

Enable-ExchangeCertificate

This prompted for a list of services, where I entered IMAP, IIS, SMTP as these are the default installed services. Only IIS actually gets used here, so I shouldn’t worry too much about this one. If you’re not sure, then just enter the same as me. Lastly, it asked for a thumbprint, which I copied and pasted from the output of the import command. Finally, after accepting the confirmation, the certificate was enabled.

And that was it. Both OWA and Outlook Anywhere are now working perfectly, and hopefully this post will help at least one other lost soul with the same problem!

I just finished my last exam today – Web Programming and Scripting – which explains the distinct lack of activity around here in recent times. Thankfully I could end my exam season on a high, as web programming is, well, what I do – so it wasn’t too much of a challenge!

Something strange happens to me every time exams come around. I seem to pick up new projects, and just run with them. This time, I’ve become involved with a small group of people at university, writing a portal-style information system for universities. I suppose most people call this behavior procrastination, but I’m quite deeply in denial about that.

Ever since my post about the Backtrac Backup System, I’ve been really enjoying using Django. Something about it just makes developing for the web, well, exciting. That can only be good, right? I am the designated server administrator for this latest project, mostly due to the fact that I am the only one with a server to administer, and some of the things I’ve learned so far seem worthy of a mention here.  Firstly, we as developers were – how can I put it – stepping on each other toes somewhat. The project at this point had no version control, so we were just editing a bunch of files over SFTP. Obviously, some sort of Source Control Management was in order. I did some research, and decided that Git was a nice, modern alternative to the ever-popular SVN. It also meant that my server was constantly backed up by everyone on the team – but that’s just a bonus!

So, I installed Git, and started a repository. A lot of effort went into learning how the system works, and more importantly, how to make it work for us. Directed Acyclic Graphs thankfully made some sense to me, so I could just about understance the documentation. I wrote some custom hooks, and a C Program to syncronise the web-server. I was happy, and absolutely certain that this was the solution to all our woes. I was mistaken. Git just didn’t work the way I had hoped. The custom hooks were throwing permission errors all over the place, and my development team (read: my friend Rob Miles) was locked out of the repository. We made the decision yesterday to scrap Git, and go back to the previous system of editing the files over SFTP. We are always in constant communication when developing for the project, so it’s not too big a deal, but I feel that I failed as an adminisrator. You see, as an admin your job isn’t just to play with cool toys and loud servers – your primary purpose is to give the users what they need to work, and that is most certainly not what I achieved.

I’m glad I took the time to learn Git – and I’m sure it will help me later in life, in some way or another. It’s just unfortunate that it didn’t work out the way I had hoped for our project.

As a sort of follow-on from my last post, I thought I’d write a little about the latest little addition to my system – roaming Firefox profiles. This is something I had always considered to be almost impossible to achieve, without complicated logon and logoff scripts that syncronise the correct folder(s) to give the same effect as a ‘redirected’ profile. Well I discovered a much easier way to achieve actual *real* profile redirection, when browsing around the features offered by Group Policy Client Side Extensions.

The basic idea is that Firefox has a file called profiles.ini, which takes care of all the configured profiles, and where they are stored. I used this file to change the default profile location to within the user’s home directory on the file server. I had to use a home drive, mapped to the root of my users’ folder redirection directory on the server, as I presumed UNC paths were unsupported in the .ini file. I did this with a GP Preference drive map using the %USERNAME% variable, and an amazing feature of GP Preferences – parsing and even altering ini files. You can specify which section of the ini file you are interested in, and which key you want changing. How useful! My policy looks like this:

You can probably work out what’s going on here, but I’ll give a quick overview. Basically, you specify the ini file to edit – in this case it’s %APPDATA%\Mozilla\Firefox\profiles.ini. Using the %APPDATA% variable means that it will always resolve to the correct location in the user’s local profile, whether they are on XP or Vista. Then we specify the section of the ini file – I’m interested in Profile0. This is the only profile present by default, but allows users to have multiple profiles if they wish without overwiting their settings when they log off. Finally, you specify the key to change, and what to change it to. I rename the default profile to Firefox, and change it’s location to H:\Firefox. Also, this path is not relative, so I have to change IsRelative to 0.

OK, so now we have the Firefox profile location sorted, we need to make sure that folder exists – or Firefox will just overwrite our changes and make it’s own folder in the default location. It’s easy to use GP Preferences for this as well – as there’s a Folders preference category. So I just made a new folders preference for \\zeus\UserData\%USERNAME%\Firefox, with the action of create (zeus is my main DC and File Server). I used the UNC path to be sure that the folder is created, even if the drive map hadn’t come into effect when this preference was applied. Also, a little trick I had to pull here was ticking the checkbox titled Run in logged-on user’s security context on the common tab. This is because only the user has permissions on their home directory, so this preference needed to run in the context of that user for it to work successfully (without access denied errors).

Once this was finished, the system started to work flawlessly. I copied the contents of existing Firefox profiles to the newly created directories, and they were picked up by Firefox with no problems. New users get blank profiles as expected, but they are stored on the file server instead of the local machine. One little issue I have encountered is that a user can’t logon at more than one machine, and start Firefox – as the program can’t lock particular files in the profile. This just results in a message saying this Firefox is already running though, which is pretty much correct (and I can’t see why this would ever cause problems for the user).

The last trick I employed, to make things a little speedier and to reduce uneccesary file server traffic, was to disable disk caching on the roaming Firefox profiles. To do this, I used a file policy in GP Preferences to copy a tiny user.js (Firefox’s preference file override) which contained only one line:

user_pref(“browser.cache.disk.enable”, false);

This turns off disk caching completely, which will not only save space on the file server, but should speed things up as well. I hosted this file elsewhere on the file server, and told the file policy to simply copy it into place, within the user’s Firefox profile. Here’s the preference:

So there you have it, my technique for enabling roaming Firefox profiles. If you’ve achieved the same through a different method, or have any ideas on this this could be improved, then I’d love to hear how – feel free to comment on this post.

My life has been pretty busy as of late, mostly with a new project I am working on called BackTrac. I am developing a network backup solution, written entirely in Python – using the Django framework as a front-end web interface.This came at quite a good time, as I’ve been asked to give a presentation on any highly technical topic, on which I know my stuff. The plan is to use BackTrac as a base, and to explain the technical concepts behind the system that make it work. The things I am going on concentrate on are:

• Pyhon in general
• XML-RPC
• Filesystem hardlinks
• The MVC concept, and Django

This should be enough content to fill a 15-minute slot, I hope.

Now I’ll explain a little bit about how BackTrac works, for the benefit of those not coming to the presentation.

What I wanted to achieve with BackTrac was a smart backup system, that doesn’t necessarily have to be the fastest. I wanted a very detailed web interface, with scheduling capabilities and log view. I decided on Django for this, seeing as I had already decided on Python for the system itself.

The nodes in the system use XML-RPC to communicate, and SMB for the actual file-copying. The real bonus of this system is that it takes advantage of a little-understood feature, present in most modern filesystems, called hardlinks. Hardlinks enable the user to essentially point to the same piece of data on a disk from more than one position. Essentially the concept is that if a file has been backed up before, why back it up again? Just create a link or “shortcut” (a hardlink) to the previously backed-up file. This is the basis for BackTrac.

Also, Django is turning out to be a real treat. This is the first time I have used an MVC like Django, and I’m really enjoying it. Web development is exciting again! I do agree with one point however, that Django makes the easy things easy, and the hard things impossible. Not quite impossible in my case, but I’ve had to do some pretty strange things to get Django to do what I want.

Finally, I’ve had the BackTrac project approved on Sourceforge.net, so watch out – I’ll be doing the initial import soon and getting some web content online. First though, I have to decide on the best way to distribute the application. This is a bit more complicated than it might otherwise be, because there are three different aspects of the system – the client application, the server application, and the Django project. On this topic or any other, as usual, opinions are most welcome.

To go with the recent network upgrades and anti-spam system, I have been working on a new way to back all this information up. The solution I’ve come up with is surprisingly simple: VSS Snapshots with Robocopy to mirror the changes. The basic idea is that the backup script creates a Volume Shadow Copy Service Snapshot, and “exposes” (mounts) the snapshot with an unused drive letter. Robocopy then mirrors the contents of this snapshot to the backup drive, allowing even files that are locked to be backed up. Add in a bit of error-checking and status emails, and we have a pretty solid backup system. I’ll run through the details below.

To create the VSS snapshot, I used a script sourced from an MSDN blog called CreateShadow, which I modified slightly to suit my purpose. I had it keep the temporary variables script, so I could use it later on (once the backup has finished) to delete the snapshot.

Once the snapshot is created and exposed, I used Robocopy with the mirror (/MIR) switch, to copy the contents to the backup drive. It just so happens that the backup drive is connected to a Samba server running on Ubuntu. This meant that I ran into a problem with timestamps whereby files were always classified as “newer”, even if they hadn’t changed at all since the last run. I fixed this by using the Fat File Times (/FFT) switch which gives a 2-second granularity on the timestamp of files, which solved the issue straight away.

The backup having completed, the script calls the temporary variables script generated by the CreateShadow script, to reinstate the snapshot ID, which is then used to remove the shadow copy cleanly.

In theory, this is an extremely efficient and robust backup system – not to mention being completely free of any licence fees. I may improve it in the future by adding functionality with multiple backup sets – at the moment I only have one day to recover from any accidental deletions – barring the previous versions.

One thing I am stuggling with at present, however, is the fact that when the backup runs under scheduled task at 3am, a number of files throw access denied errors – namely any files or directories with special characters. This is a particularly strange issue as the process works flawlessly when launched manually. I am still trying to solve the issue, but I’ll be sure to post an update if and when I find the solution.

Recently I have been having a strange issue on my desktop PC, whereby saving an Office document (Word, Excel etc.) inside the My Documents folder – which is redirected to my file server – gives the following error:

There has been a network or file permission error. The network connection may be lost.
(<filename>)

I’ve been trying to find out the cause of this for some time now, while working round it by simply saving the file to my desktop and copying it over to My Documents.

Anyway, I have just found the problem. I had a little plugin installed that allowed the indexing service on Windows Vista to index a network location, meaning I could search the My Documents folder quickly. This was the cause of the issue, and removing the index solved the problem. I wanted to write the solution up here in the hope that this helps someone in the same situation.

Note: There have been other solutions to this problem cited, including anti-virus programs, and network congestion.The KB article for this issue is located here.

My home network has been growing and growing ever since the start. At first, just little linux firewall, and it’s not done yet.

I’ve recently upgraded the my new server, adding another 4GB of RAM to bring the total to 8GB – to give me some more room for playing around. Also, I’ve decided that with all that extra memory I can upgrade to VMware Server 2.0 safely, and all seems to have gone well. Also surprisingly, the load on the machine hasn’t gone up, even with the addition of 2 new virtual machines.

The first new server is an anti-spam gateway for my Microsoft Exchange organisation, and is working flawlessly so far. Second is a Windows Server 2008 machine, which I plan to migrate the domain onto some time in the future. I plan to do some work with the brand new O/S, and see what’s what. I’m sure there will be plenty of material to keep up-to-date with, so keep checking back!

My new laptop, a Dell Studio 1535, has started exhibiting a strange problem as of late; when I hibernate it over night, it resumes early in the morning, waking me up with the fan spinning.

I was preparing to send the thing back to Dell, when it happened one night and I checked out the event logs. It turns out that Windows Update was resuming the machine from hibernate – and then updating itself. After turning this off, I’ve had a good night’s sleep! Also, Windows Defender was scheduled to scan the machine every morning at 2.00am, so that’s been disabled too.

-

I hope this post can provide answers to anyone else experiencing a similar issue.