Spent half the day trying to figure out why a Sun Directory Server had suddenly lost its ability to replicate over SSL. The logs said:

[21/Nov/2006:00:01:00 -0800] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - Replication over SSL FAILED as SSL is not enabled. Check that the attribute nsslapd-security in cn=config is on.
[21/Nov/2006:00:01:00 -0800] - ERROR<8318> - Repl. Transport - conn=-1 op=-1 msgId=-1 - [S] Bind failed with response: SSL configuration error (808).
[21/Nov/2006:00:01:00 -0800] - ERROR<8221> - Incremental Protocol - conn=-1 op=-1 msgId=-1 - Failed and requires administrator action [ldap.example.com:636]
[21/Nov/2006:00:01:00 -0800] - ERROR<8221> - Incremental Protocol - conn=-1 op=-1 msgId=-1 - Failed and requires administrator action [ldap.example.com:636]

Google turned up nada. In the end, it turned out that the last time the directory server had been started, the security token had not been provided. Restarted the server, typed in the token on standard input, and replication works again.

Yes, this is a job for expect -- but this approach has failed for coworkers in the past. I'll have to look into it.

(Note: edited to actually be correct this time. :-)

While trying to get a Sparc machine to boot disklessly so I could install OpenBSD on it, I kept getting these errors:

Boot: bsd.rd
Automatic network cable selection succeeded : Using TP Ethernet Interface
Using BOOTPARAMS protocol: ip address: 192.168.23.25, hostname: roark
root addr=192.168.23.10 path=/home/aardvark/openbsd-sparc64/chroot
open /sbus@1f,0/ledma@e,8400010/le@e,8c00000/bsd.rd: Unknown error: code 72

tcpdump showed that the machine was trying to contact the NFS server (192.168.23.10) by udp on port 0; the server kept responding with an ICMP port unreachable error. Googling turned up one other person back in '99 (!) who had the same problem, but no fix.

What was weird was that this had worked during an earlier install -- only the running of MAKEDEV hadn't completed (don't ask), so I didn't have /dev/console when I booted up, which meant no nothing once it tried to mount the root directory.

I started looking at the traffic in greater detail, and saw that the packet to port 0 was, according to Ethereal^WWireshark, a nicely formed NFS call trying to get the filehandle for the kernel (/bsd). Well, what would make it send it there? After all, mountd was listening on the same port it'd been contacted on a moment ago...

Looking at the call to portmap on port 111, I saw that the client was asking for the port for nfsd, but was being told that there was no such thing -- that the port number was zero. What the...I checked rpcinfo -p and saw that, yep, there was no nfsd...and then realized my mistake: mountd only deals with mount requests; it's nfsd that actually reads/writes files, gives information about their size and modification times, and so on. I'd been starting the NFS stuff by hand since this was a one-off, and had totally forgotten to start nfsd. I did so, and suddenly all went well. PEBCAK.

Thursday: Go to The Other University to do some prep for the move coming up next week. Check in with their computer store (where you pretty much have to buy things) to see how the order on the console server is going. The guy behind the counter looks up the order, frowns, and tells me that it seems their supplier does not have one in any of their three Canadian warehouses. Okay, so how long will it take to get one in? He looks at me earnestly and says that, sometimes, they never come in. I ask at what point I can count on the supplier a) giving up and b) informing me of that fact. He frowns again, and suggests that I check back in a couple weeks (four weeks after I've placed the order) just to be safe.

Friday: Get email from contractor/university liason for new building to say that network and electrical connections will not be ready in time because the requests were received so very late. While The Other Guy was supposed to get them in long ago, I should've been on top of this.

Monday, a stat in Canada: Go to the old building to do a serverectomy on a soon-to-be-formerly shared rack. The Other Guy mentions that the new server room has water on the floor. I go over to look, and it's a rapidly evaporating puddle, irregular in shape and maybe two metres across at its widest. I can't figure out where it's coming from. Turns out there's some other stuff that should become formerly shared as well, so I spend time poring over Sun Enterprise 1 workstations (which I like) and old inkjet cartridges for printers that may no longer be around (which I don't like). Ask The Other Guy, who's been involved with the move a lot longer than I have, what electrical connections he's asked for him and for me (long story) in the new building. He says that he gave them the model number of the Sun rack he's got (which has built-in, and very nice, PDUs) and asked them to figure out what he needs.

Tuesday: Moving day. As expected, network and electrical are not present; we've got 2 x 15A 120V circuits. Also, the leak is back, and we can see that it's coming from a small leak in the concrete roof. I move my rack into another room; The Other Guy spreads a blanket over his rack. The liason promises us that the contractors are on the job to fix the roof. The network connections (two fiber, two Cat5) get terminated, so I call the local network folks to get that taken care of. The university wireless network is not present in the new building.

Wednesday: The contractors show up to start fixing the leak. The network connections have been set up. The contractors have put in a big tube of plastic sheeting, taped to the roof at one end and a 40-gallon recycling barrel at the other. The Other Guy decides things are good enough and starts setting up his rack; I elect to hold off another day.

Thursday: The contractors say the roof is fixed, so I move the rack in and start hooking things up. The new OpenBSD firewall comes up nicely -- thank you, pf developers -- as does the main Sun server. Next up is the SunRays in the lab, only they're not. I take my laptop in and try to verify connectivity. I can't. The Other Guys suggests that the VLANs on my new switch are the problem and suggests just simplifying things. I do and keep testing. Traffic from the laptop's RFC 1918 address just never makes it to the server. In a fit of desperation I try using an address in our routable subnet, and it works. This takes me until 8pm to figure out. I email various bosses explaining how far I've got, and the campus network folks to ask if they're filtering this subnet in some way. (This isn't completely out of the question; this place has a reputation for a pretty locked-down network.)

Friday: I buttonhole the guy at the campus network office and ask him about this. He considers this and realizes that while he's forgotten to unblock DHCP (told you it was pretty locked down), the other behaviour I'm seeing can be explained if I've somehow got my interfaces crossed. I'm doubtful but give it a try, which is a good thing because suddenly everything works. I don't understand it or what I did wrong, but assume that I was simply too tired the previous night and thank him profusely for taking the time to talk to me. I am now where I should have been twenty hours before. Mighty battles emerge with Sun's DHCP and Sunray servers. In the end, I have to delete the Sunray configuration, delete all DHCP configurations, and then add the Sunray configuration back. This works, which annoys me; why are there all these opaque configurations around? Not a single plain-text file in sight. I manage to get a printer working, then another. DHCP is modified so that laptops work as well. I call it a night and head home.

Woot! I managed to install OpenBSD 4.0 on my work laptop this afternoon while Arlo slept in my arms. Not only that, it automagically set up X and I figured out wireless + OpenVPN. Woot! Firefox is running, I've got Mozex and Adblock going...the only thing left is to figure out how to get IceWM to start up automagically.

If your machine has hard drives that are, in theory, removeable because they have a front catch, but in practice require you to open up the case to disconnect the SCSI and power cables, that's not a server.

If your machine's CD drive fails and it takes you fifteen minutes of searching to find the unlabelled holes on the bottom of the case that allow access to the screws that are attached to the bottom of the drive so that you can actually remove the drive, that's not a server.

For $399 US, thank you, for the Academic edition of MathMagic, I expect better goddamned installation instructions than this:

- Windows
- MathMagic Pro Edition Full installer with some old versions of fonts and
Plugin
(Please run this full installer first.)
[ a url ]

- MathMagic Pro Edition v3.5 (application only. The latest version.)
(Please use this v3.5 application, instead of v3.0 installer by the
installer, after moving it into /Program Files/MathMagic Pro/ folder)
[ another url ]

- new CS & CS2 plugin
(Please use this Plug-in, instead of the Installer installed one. Copy
it into InDesign's Plug-ins/Equations folder.)
[ whee! lookit alla urls! ]

- new fonts for PDF embedding
(If you want to embed MathMagic fonts in your PDF documents on Windows,
please download the new MathMagic TrueType font set, and replace the
preinstalled ones(remove the old MathMagic fonts from Windows Fonts
directory and copy these new fonts into Windows Fonts folder).
[ sale! sale on urls! ]

The email goes on to suggest that installation instructions can be found on their website (but neglect to mention that it only covers the Mac version), or "in User Guide documents that you can find after installation." What a crock.

Thank you to our sponsors for the title.

Good news: I'm going to LISA! I convinced my employers to heavily subsidize my trip. I've booked a double room at the hotel; I'll be posting to the roomshare mailing list shortly, but feel free to comment or email if you wanna split the cost.

Bad news: I somehow borked X on my desktop at work yesterday. The symptoms are quite strange, and mostly involve not being able to click on a window and have focus move there. It's IceWM, and I haven't changed focus model, and the symptoms persisted over multiple restarts of KDM (ctrl-alt-backspace). I looked for open files, running processes and even removed .gconf* and .gnome* on principle; nothing. The only thing that was different was running, for the first time, the new(ish - 1.5.0.2) version of Firefox after d/l it from the Mozilla site. The machine is running SuSE 10, and for various reasons I can't update it right now. In the end, I got desparate enough to try a reboot, and of course that fixed it...which is NO FUCKING WAY to solve problems, dammit.

(Interesting how this pokes holes in my manly command-line-only stance; yes, I was able to get some work done by going to the console, but frankly I've become very very used to managing terminals and a browser with IceWM and it's hard to switch back. Damn.)

Weird news: A while back I came across a problem with a Solaris 10 machine: lpq just hung, and eventually timed out with an error (that I haven't written down, so I suck). Eventually figured out it was trying to contact the lpd service on the machine's main interface (handwave goes here about BSD-compatibility printing commands), which should've been run by inetd. Okay, but inetd is now taken care of by inetadm and svcs, not /etc/inetd.conf anymore. And while the command is called in.lpd, it's actually called svc:/application/print/rfc1179. Which is in maintenance mode, so start it up only it doesn't and I cannot figure out why: no log files I can see (the scattering of log files in a default Solaris install is really driving me nuts), no reason given, nothing. I ask another sysadmin who admits he's stumped by it but just for fun tries putting in an entry in /etc/inetd.conf and then running inetconv, the way you're not supposed to have to do except for weird legacy stuff that hasn't been moved to svcs yet. And damnitall, it works. Again, no idea why.

And that is it for now. I am tired beyond belief, having moved up my annual snifter of port from Xmas to go out with coworkers last night. I stopped drinking at 7pm and I'm still tired today. Pathetic. Arlo would be so disappointed in me.

When my wife went to pick up the co-op car we'd booked for Sunday, she found that the mirror hanging off the door by the control cables. Fortunately, a little camo duct tape -- a Christmas gift from my parents -- took care of it (at least until the co-op can get it fixed).

And then there's this. Thanks to John and Arwen for Arlo's shirt, and to Theo et al. for mine.

Two Top Tips:

1. Trying to NFS mount something (Solaris client and server) and getting error 7 (RPC: Authentication error)? Check /etc/nsswitch.conf on the server and make sure that things like auth_attr, netgroups and so on are not set to use (say) ldap [NOTFOUND=return]. Doubly so if you've just run ldapclient -v init the night before and forgot that, surprise! it changes nsswitch.conf.
2. Starting up OpenOffice on Solaris 9/Gnome only to see gibberish in the title bar rather than the file name? Log out, and in the whatever-DM login screen go to Language and select C - POSIX. Log back in. Works like a charm!

These Top Tips brought to you by the number Pi and the beverage Beer.

I just love clever network hacks.

Speaking of which, I think I'm going to ask my boss if she'll send me to LISA. I didn't realize I had sysadmin heroes 'til I started looking at the program: Æleen Frisch! Michael Lucas! Tom Limoncelli (who's working at Google now, natch)! W. Curtis Preston! But also Dan Fucking Kaminsky, that's who:

I like big graphs and I can't deny...You other hackers can't deny...when a packet routes in with an itty bitty length and a huge string in your face you get sick...cuz you've fuzzed that trick...

...who's going to be presenting the results of a worldwide SSL scan among lots of other stuff.

I think it'd be great to attend, but it's a long shot. Wish me luck.

This is going to be a long story, but I hope it'll be instructive. Bear with me.

Back at my last job, we had a Samba server, running on FreeBSD, acting as a Primary Domain Controller for around 35 W2K machines. The same machine also acted as NIS master for a similar number of FreeBSD machines. It also did printing, mail, DNS, and half a dozen other things. This machine was getting old; it's CPU usage was often pegged by a large print job, it was running out of disk space, and I was beginning to be worried about the inevitable day of death. I began planning for the upgrade: a new machine, faster and bigger hard drives, more memory and gigabit ethernet for the day we all moved to GigE. Oh, and rack-mounted...definitely rack-mounted.

The opportunity was taken to upgrade much of the software on the machine, including Samba. I decided to move from 2.2 to the 3.0 series; the speed differences seemed pretty impressive. I also wanted to get as many of the big upgrades done at once as possible: the prospect of going through the upgrade repeatedly did not appeal.

Of all the upgrades I was doing, Samba made me the most nervous. I read through the excellent (and Free) Samba HOWTO and made notes: how to move to the tdsam password database, changes in configuration options, and so on. I had the new server for a while, so I was able to run through many tests: getting a Windows machine to log on, DNS queries, and so on.

Finally, the big day came. I went in on a Saturday and made the move. Most of the rest of the day was spent testing, chasing down the inevitable mistakes, and testing some more. I tested by logging into machines after they'd joined the domain, and making sure that everyone could still log into their workstations. All told, things went pretty damned well, and I congratulated myself on a job well done.

Later though, a few things began to crop up that I haven't been able to explain. I could no longer add new domain accounts to SSH under Cygwin. A shared printer wasn't being shared any longer. In fact, shares weren't working at all. I banged my head against this for a while, but since the problems were pretty erratic they tended to fall to the wayside in favour of explaining, one more time, why the words "spare computer" were self-contradictory.

Finally, though, I put some more time into it. And it's a little hairy, especially for this Unix guy, so bear with me.

(Incidentally, I couldn't have figured out half of this without the help of Clarence Lee, a co-op student working with us. Sure, he uses IIS, but he firewalls it with OpenBSD and he got an internship at Microsoft. He's a good guy.)

The shared printer: could not figure out what was going on here. Guy who had it could print to it, no problem. Used to work for everyone, no problem. Now it wouldn't work. Broke the problem down to the point where I was using smbclient on FreeBSD, or net view on W2K, to try and list the shares, and that didn't work. Not any of them -- not IPC$ or anything. I was fairly sure this wasn't supposed to be happening.

There was a machine in limbo (not the same as spare, thenk yew!) while a coop student became permanent. I got it using the other networked printer, and tried sharing it. Again, command-line utilities would simply not list the shares. What's more, when I tried getting other people to log into the machine (I was fairly irritated at this point, and not at my most rational), they couldn't log in. WTF? I could log in, and there had been no complaints from the person whose machine it had been.In a moment of irritation, I got the test machine to rejoin the domain...and suddenly, everything was working: I could list shares on it, other people could list shares on it, people could log in, and everything. Yay! It's so simple! Rejoin the domain! Everything will be great!

Ha! It is to laugh. Profiles were not coming in when people logged in. My Documents was empty, they got that stupid, evil, vile "Let's take a tour of Windows! And let me help you set up your network! DO IT!" popup window. I couldn't figure it out.

Clarence and I banged out heads against it some more, and finally came to a conclusion.

When you migrate Samba, you're meant to take the old SID with you using net(8) GETLOCALSID and SETLOCALSID. The SID is meant to be a world-unique string/number that identifies a domain, or an account -- think something like the DN in LDAP, or NIS domainname + UID in Unix. (A user's SID has a part that belongs to the domain, and another, smaller part that is unique to that user.) I didn't do that -- screwup -- and so the Samba server had generated a new SID. As far as Windows is concerned, the identity of your domain is solely determined by the SID; the name is their just for your convenience. (Insert snide remark here about how magic invisible numbers have no business being that important.)

As a result, the machines that were present at the migration didn't know where their Primary Domain Controller (PDC-- the machine officially in charge of the domain) had gone, and were running on cached credentials, profiles and so on. (This is the same thing that allows you to log into a Windows laptop that belongs to a domain, even when you've taken it home and aren't able to reach your PDC any more.) Printing and shared resources from the Samba server continued to run because of open permissions or credentials (ie, user name and password) that don't depend on SIDs.

This also explained why I could log into the machines without problems: because, as sysadmin, I'd logged into all of them before to do maintenance. My credentials were cached, so the machines were able to authenticate me w/o consulting with their (now missing) PDC. And of course, everyone was able to log into their own workstations for the same reason.

So: machine rejoins the domain and people can log in, because now the machine can find its PDC and verify their passwords. But profiles aren't showing up because the profile's NTUSER.DAT -- the user's hive, loaded into the registry at HKEY_CURRENT_USER when they log in -- belonged to/was marked with/was owned by the account's old SID, and Windows refused to load it and lots of stuff broke or was missing.

After some more searching, I finally figured out the way around this.

First, you need to use the profiles(1) tool in Samba to change the SID on NTUSER.DAT, which'll be wherever Samba keeps profiles. You should check their SID in Samba by using pdbedit(8), though odds are the user ID/group ID part will have remained the same.

Second, you need to take care of the profile. There are a few ways of doing this. The easiest way is to copy the modified NTUSER.DAT to their profile directory, then log into the machine as Administrator and join the new domain, then get the user to log in. Their profile will be copied over, just as if they'd logged into a machine for the first time. However, this can cause problems with certain programs who haven't been informed about the change.

To illustrate: if the domain name is named EXAMPLE, and the user account is jdoe, then their profile will usually be at C:\Documents and Settings\jdoe (let's just call that D&S\jdoe for short). However, D&S\jdoe will belong, after joining the new domain, to an old account that's no longer around, which means that Windows will put their profile somewhere else -- probably something like D&S\jdoe.EXAMPLE. Odds are, though, that the old path will still be in the registry or other files, which means a lot of cycles of "Why-did-that-break-let-me-fix-it". Another option is simply to move D&S\jdoe out of the way, so that paths can remain the same. Finally, you can also change ownership recursively to the new account once you've joined the domain; this will take a while, but it's probably quicker than copying the profile over wholecloth if they've got a lot of files. If you do this, it's best to remove the machine's copy of their NTUSER.DAT file; it'll just be copied over from the server.

This took a lot of work, of course, and usually there were things like Outlook.pst to screw things up further. But after much work, I finally got everyone moved over to the new domain, and things were good again.

Lessons learned:

1. Take the new SID with you.
2. Learn how something works, even if it stinks.
3. Testing the usual is good and necessary. So is testing things that wouldn't ordinarily happen.
4. You can never know too many people on the other side of the fence.

I had a problem with X recently; after a restart, the Alt and Windows/Menu keys on my Microsoft Natural keyboard did not seem to work with X.org. I'm running Debian testing and I upgrade weekly, yet an X session might not restart for a long time...so it's hard to be sure when this started.

I finally managed to track it down to an error that could be shown like so:

$ setxkbmap -print | xkbcomp - $DISPLAY

Error: No Geometry named "microsoft" in the include file "pc"
Exiting
Abandoning geometry file "(null)"

This error also showed up in /var/log/Xorg.0.log. After much, much, much searching I finally came across this ten-year old posting to comp.os.linux.misc from who I'm pretty sure is this guy. And it worked a treat: by adding the line

Option "XkbGeometry" "pc"

to the keyboard section, poof! all my windows-menu-alt keys have come back.

OpenBSD works under Xen (mostly), thanks to Google's SoC. Coolness! I'm pulling a copy of the repository now, and maybe I'll be able to get TKYP working this way too. My devel box, a nice P4, appears to be borked: it's currently shutting itself down every 20 or 30 minutes. This'd let me run near-native on my desktop machine, a much slower (but actually running) P3.

Between OpenBSD and OpenSolaris, I might be running a lot more on this machine. Of course, I still have to follow Alioth's advice and start running my webserver under it...

....that I'd be wearing a Baby Bjorn and singing my kid to sleep with Joy Division's "Dead Souls". Clara and I dragged out a bunch of tapes yesterday, and man, I haven't listed to that one in years.

A few things.

First, Arlo is doing well:

http://saintaardvarkthecarpeted.com/images/arlo_strangle_dad.jpg

Second, there's this.

Third, work has started on the world's most useless project: Theo Kills Your Pony, the aggressively destructive Unix-like system. (Thanks to Zen Render for the name!). I'm attempting to do things semi-right, and that means I've had to learn a bit more about how OpenBSD (and BSD in general) is put together.

Like what? Well, like the name for example. The OS is called TKYP, so that's what I want to show up everywhere. I figured I would start with the output of uname(1), since that's the most Thing is, this took a surprisingly long time to track down.

uname(1) is, as you might expect, a simple wrapper around the uname(3) libc function, which is in turn a pretty simple wrapper around a sysctl call. Through paths that, frankly, I'm still tracking down, you finally get to sys/conf/newvers.sh -- a simple shell script that creates a file called vers.c and sets the variables ostype, osrelease and osversion within it. (Paths are relative to /usr/src, BTW.) After that, the different sys/arch/*/conf/Makefiles compile it -- sys/arch/i386/conf/Makefile.i386, for example -- and then include it in SYSTEM_LD. After that, <handwave>I think these values are simply returned by sysctl(3)</handwave>.

Okay, so now I've tracked that down; I rebuild and install the kernel, then reboot. (QEMU rocks for this sort of thing.) And yay, it works:

-bash-3.1# uname -a TKYP tkyp-qemu 0.1 GENERIC#0 i386

Now to rebuild world, right? Wrong: first, Apache kept refusing to compile with an error about not being able to find -ldbm. Trolling through the mailing lists only found one message mentioning a similar problem, and no reply. The CVS tree showed that, since 3.9, a couple minor changes had been committed to the httpd Makefiles mentioning that OpenBSD has used its own dbm library for a while. I tried making a few changes, but couldn't get it to work. So I cheated: I removed httpd from usr.sbin/Makefile and moved on with my life.

Next problem: the GNU configure tools haven't heard of TKYP. (I'm sure I emailed RMS about this...). gnu/usr.bin/binutils is the first thing compiled in world that uses these tools, so that's where I'm looking first. A little judicious editing of config.guess (which guesses the OS and architecture), configure (which figures out what needs to be done for the OS/arch) and config.sub (which says it's a "configuration validation subroutine script"; I'm guessing a basic sanity check) takes care of thing. They're fairly simple changes, as it's pretty much just a matter of copying the OpenBSD entries.

And all this before I can even throw in anything nasty! I got big plans, of course -- SIGKILL replaced with SIGHUP, rot13 encryption for passwords, and the RTM worm pre-installed -- but I haven't even had a buildworld finish yet. Plus, there's the cautionary tale of MicroBSD to keep in mind...whatever else I do, I wanna make sure I piss off Theo for the right reasons. :-)

(Incidentally, the email to root is in etc/root/root.mail; etc/Makefile installs it in the right place. I thought for sure it'd be in share for some reason. newvers.sh mentions this file, plus a few others, that need to be changed to reflect new version numbers.)

before I go back to changing diapers: from the ever-excellent Secrecy News comes a link to this report from retired US Army General Barry McCaffrey on his visit to the Guantanamo Bay prisons.

The report is well worth reading. As summarized in the newsletter:

"The JTF Guantanamo Detention Center is the most professional, firm, humane and carefully supervised confinement operation that I have ever personally observed," he stated.

At the same time, "Much of the international community views the Guantanamo Detention Center as a place of shame and routine violation of human rights. This view is not correct. However, there will be no possibility of correcting that view."

"There is now no possible political support for Guantanamo going forward," Gen. McCaffrey wrote.

McCaffrey acknowledges in the report that "During the first 18 months of the war on terror there were widespread, systematic abuses of detainees under US control in Iraq, Afghanistan and Guantanamo. Some were murdered and hundreds were tortured or abused. This caused enormous damage to U.S. military operations and created significant and enduring damage to US international standing."

Yet nowhere in this report does he seem to realize that the U.S. also was condemned for its lawlessness:

The great value of the platform of Guantanamo was that it was a military space in which no Federal District Court had primary jurisdiction. For that reason alone, Gitmo has over the past 45 years been the location of choice for US migrant refugee operations (no appeal to the INS process) as well as other secret operations. No applicable foreign law, no foreign diplomatic intervention, no Federal Court civil orders, no nosy intervention by a US Ambassador -- only the exercise of unilateral military power and the tool of the Uniform Code of Military Justice. It was the perfect deal. No more.

The mourning of the loss of a place over which no court had jurisdiction, into which no "nosy" US ambassador could look, is entirely unbecoming of any democracy -- let alone one that views itself as the Great Vending Machine of Liberty. Yet this point flies right past the nose of a man who gives an otherwise straightforward and unblinking account of Gitmo's failures.