Welcome to my blog...it is just a bunch of random notes to myself, for myself, and if it happens to help someone else...cool. I am currently working for a large consulting company which supports a national nonprofit organization with 23000 workstations and 250 configuration servers.
Friday, October 27, 2006
Googlepedia Mistake
The problem is that Google's advertising is gone. In it's place is where you see the Wikipedia article. Google will not stand for it and frankly, I don't think that it is really right. I don't mind choosing not to view ads by using an Ad blocker, I feel that everyone has the right to control what advertising they are being showed. I also believe that advertisers have the right to encourage people to view their Ad by offering content. I use a Tivo to skip most Ads, but I have the option to view the Ads that interest me.
If Google is smart, they will modify their search results and offer Wikipedia results but move it down enough to show their advertising. In fact, they could improve the intelligence of the Wikipedia search and if there was no match, they could have the Wikipedia article disappear. Right now my only complaint with the Googlepedia extension is when it brings up an article that is not related to my search.
Tuesday, October 24, 2006
Changing Registry ACL's EnMasse
Here is an interesting way to modify security permissions (ACL) on computer/servers through GPO policies.
Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:
[Registry Keys]
"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
We have some bad permission policies that were created when we still had Windows 98 and Windows NT. Back then, modifying the default permissions was a strong security stance but today it is giving us more grief than benefit. Especially since Microsoft has improved it's default configuration in regards to security.
We had an issue a few months ago when a Windows Update assumed that we had "Bypass Traverse checking" enabled for Everyone in secpol.msc. If you didn't have bypass traverse checking enabled for a user account, then you wouldn't see your desktop.
Automatically log off users
How to create an ADM file for winexit.scr
;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit
CLASS USER
CATEGORY !!Screen_Saver_Policy
POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
VALUEON "300"
END POLICY
POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY
END CATEGORY
[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."
Wednesday, October 18, 2006
Rails and Plugins
I thought that Agile Web Development with Rails: Second Edition was going to repeat a lot of information from the first edition. I was wrong; the second edition updates a lot of techniques using conventions that have developed since the last book.
For example, one of the best ways to start a rails project is by using migrations. This book works with that and I assume even more. Personally the migrations section was well worth it. As an added benefit, I'm getting different information going through the depot example a second time because I understand how rails works and can understand better why the examples do this or that.
Quick notes: The book uses Edge Rails which I refused to install (my only problem with the book). The migrations model uses a :decimal call that is not available in rails 1.1.6 I was able to use my first rails plugin called dollars_and_cents. Radrails made the install very easy. The hard part was modifying the code to use this plugin.
Here is my notes:
Migration line: add_column :products, :price_in_cents, :integer, :default => 0
I ran 'ruby script/generate scaffold Product' which created a new products view. I used this code to modify the views and then copied them into the admin view.
list.rhtml:
<table>
<tr>
<% for column in Product.content_columns %>
<th><%= column.human_name %></th>
<% end %>
<th>Price</th>
</tr>
<% for product in @products %>
<tr>
<% for column in Product.content_columns %>
<td><%=h product.send(column.name) %></td>
<% end %>
<td><%=h number_to_currency(product.price)%></td>
<td><%= link_to 'Show', :action => 'show', :id => product %></td>
<td><%= link_to 'Edit', :action => 'edit', :id => product %></td>
<td><%= link_to 'Destroy', { :action => 'destroy', :id => product }, :confirm => 'Are you sure?', :post => true %></td>
</tr>
<% end %>
</table>
_form.rhtml (replace the last couple lines with this):
<p><label for="product_price">Price in dollars</label><br/>
<%= text_field 'product', 'price' %></p>
<!--[eoform:product]-->
show.rhtml (abridged):
<% for column in Product.content_columns %>
<p>
<b><%= column.human_name %>:</b> <%=h @product.send(column.name) %>
</p>
<% end %>
<p>
<b>Price in Dollars:</b> <%=h number_to_currency(@product.price) %>
</p>
Must Have for Integrating Linux in a Windows World
Novell's Ubuntu AD Samba Guide HOWTO: Configure Ubuntu for Active Directory Authentication
Note: Samba is hosted on Novell's servers because Novell is starting to seem pretty agnostic on what distribution people are running. Good for them
I was able allow my machine to authenticate on a Windows AD domain without joining it to the domain. The second step of setting up libpam-ldap and ncsd would require changes to the domain controllers, but I am only able to log on if the user account in /usr/passwd is identical to a domain account. If I had libpam-ldap installed and joined this computer to the domain, I would be able to accept anyone's domain account as a login on this machine.
I am now able to cruise network shares through Gnome (nautilus) with smb://servername without having to supply a password for each connection. Previously, my credentials would be encrypted to the nautilus keyring, so it may have seemed like authentication only happened once but it was really happening each time you connected. With a kerberos ticket, I am authenticated as myself until the ticket is closed or if the ticket is revoked by a domain controller. This truely becomes a single sign on Microsoft environment.
Now I have to work out how single sign ons for our intranet is handled (NTLM?) which was developed on .Net. When I go to the site with Firefox (Windows and Linux) I get asked for continuous passwords, it seems. I had heard from a Novell Open Audio Podcast that Suse had figured out a way to use Firefox with single sign on. I just can't remember if it was with a Firefox kerberos plugin, or if there was a special setting in the about:config.
Friday, October 13, 2006
Microsoft Support
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Riddle me this:
Here are the details:
After approving September's patches on Saturday for an install on Sunday at 9am, I got my first call of a netlogon service problem. The user was not able to logon because the netlogon service was not able to start. A second blank error message pops up with a big red "X" and a Okay button before sending you back to the ctl-alt-del screen. Logging in as that user, my domain account with local admin rights, or the local renamed administrator account all produces the same results.
Going into Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt. All cause a hard reboot right when the graphics card should take off. The last Known Good Configuration gives us the same results as starting Windows normally.
My first diagnosis was a roached OS and I re-imaged it. I found out late that someone else ran into the same scenario on Friday (before approval of updates) and solved it by re-imaging.
Now we start to get suspicious, when we start seeing our third, then fourth bad machine on Monday when we are able to keep a couple for studying (that's when someone figured out that Debug mode works) and start our call with Microsoft.
Booting into the Debug mode allows for normal logins of local administrators and domain accounts
I spent an hour making sure that memtest and Dell utilities determining that the hardware was okay.
To be continued...