The Swede in the middle of Silicon Valley

Monday, October 12, 2009

Closing blog

As I've recently decided to get my own company going again I've made the decision to close this blog, it will still be available as is but there wont be any further posts. For technical solutions etc please refer to kb.sedoss.com were I'll post future technical solutions related to my consulting company.

Thanks for all of you who has followed my blog, as you hopefully know you can get to my personal blog via me.garnser.se.

Wednesday, September 16, 2009

Creds to Microsoft

Throughout the last few weeks I've somewhat raped my soul and went against most things I believe in. Why? I've done a Windows AD implementation to solve a somewhat interesting problem.

I've been working with an organization to help them create a centralized way of having authentication across the border, this include Windows, Linux and OS X servers and clients. Looking at the problem initially I gave it a try to run Samba as a PDC, unfortunately the development hasn't come as far as I hoped so I gave up that idea.

The solution I ended up choosing (which I haven't completely finished yet) is to utilize Windows AD and all that comes with it. As many know AD + Linux has never been a fun thing to deal with until recently as Microsoft decided to implement rfc2307 for Unix attributes. Doing this makes life a lot easier and I managed to put together a working solution in just a few hours, including group definitions!

For now I'm still working on having Samba authenticate with ADS so that shares can be maintained on a Linux-box rather than a Windows server (who wants to run NTFS anyway?) there's still some issues with it but I hope to have it ironed out pretty soon.

Didn't think I would say this but thank you Microsoft for opening up for us Unix-hackers!

Saturday, September 5, 2009

Making smbldap-tools rfc2307bis

Just stumbled upon a setup where I had to make smbldap-tools rfc2307bis compliant, figured I should post the patch here.

This adds ou and uniqueMember to smbldap-populate.

*** /usr/sbin/smbldap-populate.orig 2009-09-05 09:58:29.000000000 -0700
--- /usr/sbin/smbldap-populate 2009-09-05 10:04:10.000000000 -0700
***************
*** 285,293 ****
--- 285,295 ----
loginShell: /bin/false

dn: cn=Domain Admins,$config{groupsdn}
+ ou: Domain Admins
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 512
cn: Domain Admins
memberUid: $adminName
***************
*** 295,344 ****
--- 297,359 ----
sambaSID: $config{SID}-512
sambaGroupType: 2
displayName: Domain Admins
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Domain Users,$config{groupsdn}
+ ou: Domain Users
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: $config{SID}-513
sambaGroupType: 2
displayName: Domain Users
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Domain Guests,$config{groupsdn}
+ ou: Domain Guests
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: $config{SID}-514
sambaGroupType: 2
displayName: Domain Guests
+ uniqueMember: uid=$guestName,$config{usersdn}

dn: cn=Domain Computers,$config{groupsdn}
+ ou: Domain Computers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: $config{SID}-515
sambaGroupType: 2
displayName: Domain Computers
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Administrators,$config{groupsdn}
+ ou: Administrator
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
+ uniqueMember: uid=$adminName,$config{usersdn}

#dn: cn=Users,$config{groupsdn}
#objectClass: top
***************
*** 375,389 ****
--- 390,407 ----
#displayName: Power Users

dn: cn=Account Operators,$config{groupsdn}
+ ou: Account Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

#dn: cn=System Operators,$config{groupsdn}
#objectClass: top
***************
*** 397,433 ****
--- 415,460 ----
#displayName: System Operators

dn: cn=Print Operators,$config{groupsdn}
+ ou: Print Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Backup Operators,$config{groupsdn}
+ ou: Backup Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Replicators,$config{groupsdn}
+ ou: Replicators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
+ uniqueMember: uid=$adminName,$config{usersdn}

";
if ("sambaDomainName=$domain,$config{suffix}" eq $config{sambaUnixIdPooldn}) {

Monday, August 31, 2009

New project going down

I'm currently working on a new exciting open-source project which is taking up the wast majority of my time. Once official I'll hopefully get back to somewhat of my normal life and start posting more again, for now follow me on twitter.

If you are or know someone who may be interested in contributing with code or design please contact me directly at jpetersson [ at ] garnser dot se.

Tuesday, August 11, 2009

Flow control routing

Just this morning I stumbled upon an article about Lawrence G. Roberts work on flow-control routers. I'm a bit surprised that I haven't stumbled upon his work earlier given that he's been in the market with this since 1999.

The technology behind flow-control is well described in the following chart:

If you're interested I would give the article about it a read, it's quite impressive that we've been able to keep up the last few years with 40 year old technology, I'm sincerely hoping to see more of these solutions in the future, especially if someone would decide to implement it into the Linux kernel.

Wednesday, July 29, 2009

MySQL.com down

As some of you may have read we recently had an outage with MySQL.com we're now back up and in better shape. Due to this I'm now back in Sweden for a couple of weeks hacking a bit, hopefully I'll be able to post some fancy diagrams here at some point around it.

Wednesday, July 15, 2009

Going private

Given that the nature of this blog has become quite technical I've decided to break out a portion of it that has more of a personal touch to it. I'll try to post updates more frequently on this blog with things going on in my life and my thoughts on various decisions. This blog will stay around but I'll limit it to technical information/solutions only for now.

You can follow the new blog at me.garnser.se

Tuesday, July 14, 2009

SMS-proxies

Communicating over the Atlantic in an easy and cheap way has always been a hassle, surely products like Skype/IM has helped with this a lot but it's still not a perfect solution given that there's some restrictions.

I've recently gotten myself into the situation where I want people in Sweden to be able to send me SMS from Sweden not paying more than their usual local rate and have their messages end up on my phone with no extra charge.

I'm sure that if anyway at AT&T sees this they're going to get furious about it but hey, hackers will always be around doing stuff like this, adopt to the new technology instead.

Either way, starting to look into this problem I was thinking about a couple of SMS projects I've done a couple of years back, unfortunately all of these were payed services meaning that if I were to receive any message the sender would pay a minimum of 5 SEK ($0.5) which kinda kills the idea of the project. After poking around with colleagues someone gave me a tip about Ballou that has SMS services.

So I registred and looked around in the FAQ to figure out how to get things working, I expected there to be an option to have a prefix in an SMS followed by the message which would be sent to a 5-digit number or similar but I got a nice surprise, upon request you'll be assigned a dedicated number for no extra cost.

Obviously I would meet some more issues around this, Ballou does have an email forwarding service so I figured I should try sending it to AT&T's mail-to-SMS service, unfortunately it turned out that Ballou included a lot more information than I needed for this setup. When receiving an email it is formatted like:

2009-07-13 18:57:36
Från +467066XXXXX
Till +4673012XXXXXX

Text:
Message

And yeah that's HTML being sent as well. I could probably see myself making use of this extra data in another project but for this the only thing I wanted to have was the actual message, given the restricted amount of people I am giving this number to I would be able to figure out who it is anyway, so this is kinda where my project took of.

As I've posted about before I'm using the Google Enterprise services including email for my domains, I had somewhat of a naive hope that they would support some kind of macros when forwarding emails but unfortunately this wasn't the case.

Given the situation I decided to look into alternative ways to get the essential information to my mobile, what came to mind was a quick Perl hack.



This script is quite simple but yet powerful, essentially what it does is:
  • Look for any unread message from Ballou notifying me that a new SMS has been delivered.
  • Download the given email.
  • Parse the email for the actual message.
  • Mail to AT&T's mail-to-SMS service.
Even though the setup isn't as straight-forward as one could wish it to be it does the job, if anyone knows another solution that's free you're welcome to ping me about it :).

Oh and btw Ballou, please honor newlines and don't run s/\n//g on my messages, it's putting words together and it's honestly pretty damn annoying.

Monday, July 6, 2009

iPhone, a next potential thin client?


I've blogged about this before but after discussing it with friends and colleagues recently I got a new eye-opener. Looking at thin clients on the market today many of them has equal or less performance compared to the iPhone 3G(S).

As you may know Citrix has release an application called Citrix Receiver allowing you connect to a Citrix server and control Microsft Windows applications from your iPhone. As this may be a step in the right direction it's really not enough as you're limited by the size of your screen on the iPhone.

Looking at patents filed by Apple there's one that comes to mind within this category; #20080002350. This patent describes how you would be able to dock your MacBook (Pro) in an iMac looking device (see MacRumors). I haven't read the details of what this patent covers as far as which devices that's potential candidates but the iPhone surely could be one in conjunction with a remote X like environment like Sun offers using it's thin clients.

Another touch which Gizmodo posted about is to make something similar to what Asus is planning to release soon. A keyboard with a built-in computer. However in this case the computer would be the phone and the keyboard would really just be a docking-station.

So Apple, hopefully you're R&D department has someone reading blogs and ideas how Apples products could be utilized, and if so, dump the projector stupidity and give us a solution to use the iPhone as a thin client.

Thursday, July 2, 2009

Feedback to Google

So since it's rumored that Google does check on the Internet for feedback in recent changes I wanted to give my $.02 on some things:

- Spacing in google search on the left side: Why would you do this? Unfortunately we live in a world were screens are getting smaller and the resolution stays the same with this netbook-mania, removing any valuable space is moronic.

- Apply of labels in Gmail: I'm a "Enterprise"-customer of Gmail and quite a heavy user. I've became quite abusive with my labels but I like to have things organized causing me to tag multiple emails with multiple labels, the extra click of accepting that I've chosen a label when searching for one is a PITA, if you did choose the wrong one it's just one click to remove the wrongly selected anyway, why make it redundant?

Wednesday, April 29, 2009

DNS query parser

The last days I've been working on our internal DNS servers looking at the new BIND statistics I enabled 2 weeks back. I sure found some interesting behaviors of some clients that shouldn't be there thanks to it.

Thinking a bit more at statistics I started looking at the query-log, if you have managed a DNS server you know that the query-log tends to build up quickly and it can become pretty unmanageable to troubleshoot unless you've some decent programming skills. Due to this I figured, hell, lets dump the data in a MySQL database so we can run some nice queries to see trending etc.

The code below is what I ended up with. What it does is creating a named pipe (FIFO) that allows BIND to write all query-log data directly a database after being parsed by the script.

Please notice that I'm still working on the code and will post the updates to this post, if you have any proposals or issues with it please email me.

Disclaimer: This code is very much untested and it's expensive to run from a CPU perspective, use caution!

...
logging {
channel query_log {
file "/var/log/querypipe";
time-stamp yes;
}
...


Once started all query-log data is sent to the script and gets parsed, once the writecache has reached it's top the data is being written to the database. The reason for maintaining a writecache is because MySQL with MyISAM has a lot better performance inserting several rows at once rather than one at the time, the backside to this is that you're data wont be real-time which may not be ideal depending on your reporting needs.

CREATE TABLE `queries` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`date` varchar(25) DEFAULT NULL,
`time` varchar(25) DEFAULT NULL,
`id` int(11) DEFAULT NULL,
`port` int(11) DEFAULT NULL,
`query` varchar(255) DEFAULT NULL,
`rr` varchar(25) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM


To run the code edit the variables to match your system settings, to demonize it run it with -D, once started, run rndc reload or restart your name-server to release locking of the query-log.


#!/usr/bin/perl

use Getopt::Long;
use DBI;
use POSIX qw(setsid);

my $daemon = 0;

Getopt::Long::GetOptions('daemon|D' => \$daemon);


if ($daemon) {
defined(my $pid = fork) or die "Can't fork: $!";
exit if $pid;
setsid or die "Can't start a new session: $!";
}

$SIG{INT} = \&terminate;
$SIG{HUP} = \&terminate;

sub terminate {
unlink $FIFO;
exit 0;
}

while (1) {

my $LOG_PATH = '/var/named/chroot/var/log/';
my $FIFO = $LOG_PATH.'querypipe';
my $RNDC = '/usr/sbin/rndc';
my $user = 'named';

my($login,$pass,$uid,$gid) = getpwnam($user) or die "$user not in passwd file";

my $db = DBI->connect("dbi:mysql:database=dns;host=localhost:3306;user=dns;password=dns") or die "Failed to connecto DB\n";

while (1) {
unless (-p $FIFO) {
unlink $FIFO;
system('mknod', $FIFO, 'p')
&& die "can't mknod $FIFO: $!";
}
chown $uid, $gid, $FIFO;
system("$RNDC reload");
open (FIFO, "< $FIFO") || die "can't read $FIFO: $!";
while () {
my($date, $time, $source, $port, $query, $rr) = /([0-9]{1,2}-[A-Za-z]{3}-[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2}).[0-9]{1,5} client (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#([0-9]{1,5}): query: (.*) IN (.*) +/;

my $statement = $db->prepare("INSERT INTO `queries` values (NULL, '$date', '$time', '$source', '$port', '$query', '$rr')");
$statement->execute() or die "Failed to write to DB!";
}
close FIFO;
}
}


Planned additions:
- Help-messages
- Function to log
- Auto adjust write frequency based on load
- Clean-up
- Fix MySQL table to use appropriate fields

Sunday, April 5, 2009

Enabling your recursive BIND server to support DNSSEC

So I've been doing some BIND hacking this weekend looking into enabling my recursive BIND instance to do DNSSEC lookups if available.

Since the root-servers today doesn't have native support for DNSSEC DLV (Look-aside Validation) has to be used. ISC provides one of these giving somewhat of a proxying DNSSEC validation.

To enable DNSSEC lookups on your servers the easiest approach is to use dnssec-configure which reconfigures your named.conf with the appropiate variables. To enable, run:
dnssec-configure --dnssec=on --dlv=on -u -b
This will add the following to your config:
options {
...
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
dnssec-accept-expired yes;
...
}

...
include "/etc/named.dnssec.keys";
Open up /etc/named.dnssec and add the following to enable DLV:
include "/etc/pki/dnssec-keys/dlv/dlv.isc.org.conf";
This includes the DNSKEY of dlv.isc.org which is required to validate lookups towards this server. Unless you include the key lookups will not work. Notice that you may have to shuffle the files around a bit to adopt to your setup.

After you restart named your BIND server will query the DLV server for secure lookups, if you have logging enabled you will be able to see DNSSEC debug records.

As you probably know, when using signed entities keys are refreshed with a set constant of time. The recommended time for a DNSKEY is 1 month. Due to this the key you have present in your dlv.isc.org.conf will become deprecated after 1 month. I decided to solve this by making a perl-script re-creating the dlv-configuration every night to ensure that my server doesn't loose the capability of doing lookups. If DLV is unavailable no recursion will work!

Here's the script:

#!/usr/bin/perl

use IO::File;
use strict;
use warnings;
use Net::DNS;
use Data::Dumper;

my $dlv_file = "/var/named/chroot/etc/pki/dnssec-keys/dlv/dlv.isc.org.conf";

my $res = Net::DNS::Resolver->new(
nameservers => [qw(127.0.0.1)],
recurse => 1,
debug => 0
);

my $dnssec_key = $res->query("dlv.isc.org", 'DNSKEY');

my $dlvconf = new IO::File('<'.$dlv_file);

sub nl2br {
my $t = shift or return;
$t =~ s/([\r\n])/$1/g;
return $t;
}

open FILE, ">".$dlv_file;
print FILE "trusted-keys {\n\n";
print FILE for map {

"dlv.isc.org. ".$_->flags.' '.$_->protocol.' '.$_->algorithm.' "'.nl2br($_->key)."\";\n"

} $dnssec_key->answer;

print FILE "};\n";
close (FILE);

chown 25, 25, $dlv_file;

system("rndc reload");

exit 0;

Add the script to crontab and it will automatically update the DLV key as needed.

Friday, January 16, 2009

Meetings, meetings and meeting

All the usual, meetings all day, going to Menlo Park rather than Santa
Clara today to hang out with some old colleagues

Thursday, January 15, 2009

Hard at work

About time to go home, way too many late nights this week.

Tuesday, January 13, 2009

Good morning Broomfield

Well I have to admit that our view in the bay-area isn't as great.

Monday, January 12, 2009

Settled in the hotel

So after a day in the office and pizza night with the colleagues I settled at my hotel. 2 rooms + kitchen. I can't make up my mind which room to sleep in :(


Flying out to Denver

Flying out to Denver to hang out with my new team for a couple of days.

Sunday, January 11, 2009

24

Watching 24, have to wake up in 6 hours :(

Thai + milkshake

Mark and I ended up at some Thai-restaurant for lunch, and I must say,
the food was freaking spicy...cooled of with a milkshake afterwards.

Good morning sunshine

It has been pretty cold in the Bay-area lately (around 50) but it seams like we'l have a turnover soon, it's even supposed to hit 70 today. Hopefully I'll find a good excuse to go outside.

New desk(top) setup

After requesting a new 20" monitor for my home-office my boss asked if I'd prefer a 24" instead since he had those on the shelf. Not being rude I obviously had to accept that. Anyhow, due to this I decided to take home my 24" from the office and put it at home thus resulting in this.

While being at it I decided that I've been running Vista on my desktop for way to long so I finally made the step back to Ubuntu. However what's new now is that since I've the i7 CPU there's some mad potential to run virtual machines, so far I'm up to: Fedora 10, OpenSolaris, Ubuntu 9.04 beta, Vista Ultimate and Windows 7 all running seamlessly in parallel.