After implementing Squid for caching, I noticed how much Windows Update went out to download updates for the various machines. This lead me to quickly implement WSUS and GPO for installing updates from our network. WSUS is one of the few large applications that one can get absolutely for free from Microsoft. It really helps with organizing updates. I now have the task of approving over 600 updates.
Squid cache to the resue
Monday, September 7, 2009 by Dereck Martin
I implemented a squid cache the other day for everyone. Everyone in the company mainly access only a hand-full of websites a day. The caching proxy allows us to conserve bandwidth by grabbing data locally from our network first. Through my testing it has significantly improved the load times of AJAX rich websites (like gmail) and other content rich websites. I recommend implementing one regardless the size of a company.
Windows 2008 guest and vmware
Friday, March 6, 2009 by Dereck Martin
Apparently there is a memory leak in the VDS.exe process for Windows 2008 guests in vmware. I have included the link to the article for obtaining the hot-fix. It requires filling out a form and the link for the actual hot-fix is sent via email.
You will know if you have this memory leak, the VDS.exe process will consume all available memory over time. Some have reported seeing the process consume 7GB of memory.
support.microsoft.com/kb/958387
You will know if you have this memory leak, the VDS.exe process will consume all available memory over time. Some have reported seeing the process consume 7GB of memory.
support.microsoft.com/kb/958387
Unifying Authentication with freeRADIUS - Part I
Wednesday, March 4, 2009 by Dereck Martin
How does one unify authentication for various technologies across a mixed operating system environment and deploy it transparently to users?
Well, I have decided to use freeRADIUS as the entry point for our roaming wireless and vpn authentication. freeRADIUS then passes the credentials on to Active Directory for authentication. In this part, I will be focusing on getting the box authenticating against Active Directory and the installation of freeRADIUS.
In order for this to work, a Linux box needs to be setup with samba and winbind to work nicely with Active Directory. If you are experienced with this setup, it can be done in as little as 30 minutes.
I have a basic configuration file for samba that should work with a Windows 2003 Active Directory domain for nearly anyone.
HINT: make sure time is synced within 5mins of the Active Directory server or things tend to break.
The only thing left to do is join the box to the domain. The command below should be sufficient to do this. You will need to make sure this machine has a static ip address, and it should have a A record and ptr record in DNS for the hostname of the box. If not, Active Directory may complain about it with a cryptic error message.
Once that is complete and there are no errors, start winbind. On some Linux distributions the winbind init script is apart of the samba init script (like Gentoo).
Well, I have decided to use freeRADIUS as the entry point for our roaming wireless and vpn authentication. freeRADIUS then passes the credentials on to Active Directory for authentication. In this part, I will be focusing on getting the box authenticating against Active Directory and the installation of freeRADIUS.
In order for this to work, a Linux box needs to be setup with samba and winbind to work nicely with Active Directory. If you are experienced with this setup, it can be done in as little as 30 minutes.
I have a basic configuration file for samba that should work with a Windows 2003 Active Directory domain for nearly anyone.
[global]
security = ads
netbios name = server01
server string = server01
workgroup = DOMAIN
realm = DOMAIN.COM # ip of active directory server
password server = x.x.x.x
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# You will need to create /home/DOMAIN if you plan to allow # user to log-in, and setup pam.d stuff
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
# ip of wins server
wins server = x.x.x.x
encrypt passwords = yes
server signing = auto
name resolve order = wins host bcast
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = x.x.x.x:88
}
[domain_realm]
.dnsdomain.DOMAIN.COM = DOMAIN.COM
DOMAIN.COM = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
passwd: files winbind
shadow: files winbind
group: files winbind
protocols: files winbind
services: files winbind
netgroup: files winbind
automount: files winbind
HINT: make sure time is synced within 5mins of the Active Directory server or things tend to break.
The only thing left to do is join the box to the domain. The command below should be sufficient to do this. You will need to make sure this machine has a static ip address, and it should have a A record and ptr record in DNS for the hostname of the box. If not, Active Directory may complain about it with a cryptic error message.
#~> net join -U Administrator
Once that is complete and there are no errors, start winbind. On some Linux distributions the winbind init script is apart of the samba init script (like Gentoo).
#~> /etc/init.d/winbind
You should be able to do a wbinfo and get something like below:
#~> wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
After this is working, then its time to install freeRADIUS. I would heavily recommend installing from your distribution's package management system. This is a common application, and should be available for the big distributions.
There is one thing that will need to be done in order to get freeRADIUS to work nicely with winbind. If this is not done, then radius will not work right.
#~> cd /var/cache/samba/winbindd_privileged/
#~> setfacl -m u:radiusd:rx winbindd_privileged
Note: on some distributions, "acl" needs to be added to /etc/fstab. ACL options for the file system type need to be included in the kernel configuration. On systems like CentOS and OpenSuSE this shouldn't be a problem.
In the next part coming soon. I will discuss how to configure radius for EAP/PEAP authentication for wireless networks.
#~> wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
After this is working, then its time to install freeRADIUS. I would heavily recommend installing from your distribution's package management system. This is a common application, and should be available for the big distributions.
There is one thing that will need to be done in order to get freeRADIUS to work nicely with winbind. If this is not done, then radius will not work right.
#~> cd /var/cache/samba/winbindd_privileged/
#~> setfacl -m u:radiusd:rx winbindd_privileged
Note: on some distributions, "acl" needs to be added to /etc/fstab. ACL options for the file system type need to be included in the kernel configuration. On systems like CentOS and OpenSuSE this shouldn't be a problem.
In the next part coming soon. I will discuss how to configure radius for EAP/PEAP authentication for wireless networks.
The Woes of G2M3
Saturday, February 21, 2009 by Dereck Martin
For those that do not know, G2M3 is a special video codec used by GoToMeeting and GoToWebinar for recording. It is only playable in Windows Media Player and there is suppose to be a plug-in for Quicktime under MAC. It has caused so much frustration these past few weeks in a task I was assigned.
We implemented a new video help section, and we had an archive of old GoToMeeting recorded sessions. The videos were all in WMV format utilizing the G2M3 video codec.
None of the video converters available for WMV to FLV (flash video) could handle the video codec properly. Most would fatally crash. That is where the adventure began in finding a way to convert G2M WMV video files into something that was more exportable.
The first thing I tried was ffmpeg since it can handle almost anything. It failed immediately when trying to convert it. At least it was nice enough to give me a reason why. It said the video stream was unsupported.
After trying several converters, I had almost given up. Until I dug deep into Google searches and came up with a post that shed some light on how to fix the problem. It appears the most converters do not interface with some back-end Windows Media Player functionality to decode the video of some WMV codecs during conversion. I did find something that did, and that was a utility called Windows Media Encoder.
WME was designed to stream Windows Media out to a Windows stream sever, but it can re-encode WMV using standard Windows Media 9 video and audio codecs. It is also free download and use.
This was not the end of journey for this task. The FLV converter we use does apparently support one of the Windows Media 9 codecs. It supports newer WMV codecs, just not the old codecs. I had to re-encode the WMV to another more suitable format.
I chose to just convert the WMV into MPG with the aid of TMPEGenc. This software is also free to use as long as MP2 encoding it not the main goal. After all these old video files were converted to MPG format, our FLV converter worked.
The lesson in this situation is to set the GoToMeeting settings to record in standard WMV format not the Default G2M3 Format. After testing, I found out the standard WMV works fine with our FLV converter.
I hope this helps anyone out there who plans on using G2M for any sort of video tutorials in SWF or FLV format. I should also note that Citrix is aware that the G2M3 is incompatible with Linux and any Windows or Mac box that does not have this codec installed. Keep that in mind when you use the product.
We implemented a new video help section, and we had an archive of old GoToMeeting recorded sessions. The videos were all in WMV format utilizing the G2M3 video codec.
None of the video converters available for WMV to FLV (flash video) could handle the video codec properly. Most would fatally crash. That is where the adventure began in finding a way to convert G2M WMV video files into something that was more exportable.
The first thing I tried was ffmpeg since it can handle almost anything. It failed immediately when trying to convert it. At least it was nice enough to give me a reason why. It said the video stream was unsupported.
Stream #0.2: Video: G2M3 / 0x334D3247
After trying several converters, I had almost given up. Until I dug deep into Google searches and came up with a post that shed some light on how to fix the problem. It appears the most converters do not interface with some back-end Windows Media Player functionality to decode the video of some WMV codecs during conversion. I did find something that did, and that was a utility called Windows Media Encoder.
WME was designed to stream Windows Media out to a Windows stream sever, but it can re-encode WMV using standard Windows Media 9 video and audio codecs. It is also free download and use.
This was not the end of journey for this task. The FLV converter we use does apparently support one of the Windows Media 9 codecs. It supports newer WMV codecs, just not the old codecs. I had to re-encode the WMV to another more suitable format.
I chose to just convert the WMV into MPG with the aid of TMPEGenc. This software is also free to use as long as MP2 encoding it not the main goal. After all these old video files were converted to MPG format, our FLV converter worked.
The lesson in this situation is to set the GoToMeeting settings to record in standard WMV format not the Default G2M3 Format. After testing, I found out the standard WMV works fine with our FLV converter.
I hope this helps anyone out there who plans on using G2M for any sort of video tutorials in SWF or FLV format. I should also note that Citrix is aware that the G2M3 is incompatible with Linux and any Windows or Mac box that does not have this codec installed. Keep that in mind when you use the product.
Importing certificates made easy.
Friday, February 13, 2009 by Dereck Martin
This tool has made my life much easier...
It allows me to import p12 client certificates onto machines. This will be used for the certificate based wireless we will be migrating to soon. With out this utility, I would have to manually touch each machine to install it.
http://www.symantec.com/community/forum/5172/install-p12-certificate-silently
It allows me to import p12 client certificates onto machines. This will be used for the certificate based wireless we will be migrating to soon. With out this utility, I would have to manually touch each machine to install it.
http://www.symantec.com/community/forum/5172/install-p12-certificate-silently
Things of interest for 2009-02-06
Friday, February 6, 2009 by Dereck Martin
Here are some items I found interesting today
- Yes! It's the cardboard PC! - Green is the new black, or so it seems. So an enterprising designer’s inked plans to build a desktop PC that does away with the traditional metal and plastic exterior, in favour of… er… cardboard.
- Why Windows Must Go Open Source - To maintain its developer ecosystem and protect its apps business, Microsoft has no choice but to loosen its grip on the Windows source code and drive down costs.
Things of interest for 2009-01-30
Friday, January 30, 2009 by Dereck Martin
Here are some items I found interesting today
- Virtual Windows 7 not the same thing
- Better JPEG standard due in 2009 | Underexposed - JPEG XR, an image format created by Microsoft that promises a number of advantages over JPEG, has cleared a key standardization hurdle.
- Feds: IT admin plotted to erase Fannie Mae - A fired computer engineer for Fannie Mae has been arrested and charged with planting a malicious software script designed to permanently destroy millions of dollars worth of data from all 4,000 servers operated by the mortgage giant.
Things of interest for 2009-01-29
Thursday, January 29, 2009 by Dereck Martin
Here are some items I found interesting today
- Google-backed tool detects Net filtering, blocking - Is your Internet provider interfering with your network traffic, and perhaps even running afoul of Net neutrality principles? Google and some like-minded folks believe they've come up with what amounts to an early warning system.
- Army invests $50 million in flexible displays - The U.S. Army has committed to renewing its partnership and providing another $50 million to Arizona State University's flexible-display research facility, the university announced on Thursday.
Things of interest for 2009-01-28
Wednesday, January 28, 2009 by Dereck Martin
Here are some items I found interesting today
- Autonomous Robots Invade Retail Warehouses - Next time you order a new pair of skinny jeans from Gap.com, you should know that you are helping welcome in the hive-mind robot overlords of retail. Warehouses run by Gap, as well as Zappos and Staples now use autonomous robots to pluck products from their shelves and send them to you.
- Hybrid fusion-fission reactors to run on nuclear 'sludge' - Texas-based boffins say they have figured out a cunning new method of dealing with America's nuclear waste, using fusion technology - which at the moment can't produce power - to turn 99 per cent of fission reactors' waste into useful energy.
- I'm a sceptic now, says ex-NASA climate boss - "As Chief of several of NASA Headquarters’ programs (1982-94), an SES position, I was responsible for all weather and climate research in the entire agency, including the research work by James Hansen, Roy Spencer, Joanne Simpson, and several hundred other scientists at NASA field centers, in academia, and in the private sector who worked on climate research," Theon wrote. "I appreciate the opportunity to add my name to those who disagree that global warming is man made.”
- Photos: Internet Explorer 8 RC1
- Gmail grows up with offline e-mail access - Significantly increasing the utility and competitiveness of its Web-based e-mail service, Google is enabling an experimental ability to read, write, and search Gmail messages even while not connected to the network.
- Next version of Office heads to the browser
Things of interest for 2009-01-27
Tuesday, January 27, 2009 by Dereck Martin
Here are some items I found interesting today
- Geeks re-invent breakfast - Wii-style toaster fires slice onto wired plate
- Microsoft ready with near-final IE 8 - Microsoft on Monday released a near-final "release candidate" version of Internet Explorer 8, the next version of its Web browser
- Cooling Chips with Thermoelectrics - Researchers have made ultrathin refrigerators for microprocessors
Things of interest for 2009-01-22
Thursday, January 22, 2009 by Dereck Martin
Here are some items I found interesting today
- Gmail-template Generator - Google Modules - You can use this module for generating your own gmail templates. Mark the generated page, you can save the template. The default value can be set from Edit menu.
- Felipe Alfaro Solana » Blog Archive » Configuring WPA2 Enterprise with EAP-TLS in Mac OS X and Linux
Things of interest for 2009-01-17
Saturday, January 17, 2009 by Dereck Martin
Here are some items I found interesting today
- Securing Your WLAN with WPA and FreeRADIUS, Part III
- Securing Your WLAN with WPA and FreeRADIUS, Part II
- Securing Your WLAN with WPA and FreeRADIUS, Part I
the crux of software management
Thursday, September 25, 2008 by Dereck Martin
Managing software for different classes of users across a Windows or Samba domain can be both costly for a company and a headache for an administrator. There are many software packages and methods available. In my experience, not many solutions provided a cost effective and time efficient way of managing a diverse range of software installers.
Some administrators choose the easy way and just give local admin privileges to the user on the machine. It is then left up to the user to update and patch their system at their convenience. This is not only poor administration practice from a security standpoint, but it is also a nightmare to keep track of rogue software installs and licensing.
As a supporter of open-source solutions, WPKG is a great solution for managing software deployment on a small or large network with Windows based machines. It is easy to deploy, manage and saves administrators from hours of headache and frustration.
WPKG [www.wpkg.org] only requires a small service to be installed on the workstation. The server side of the package is just a SMB share which contains XML configurations and available applications for deployment. This means your file server can run Microsoft Windows, Linux or any other operating system that has the capability to provide network shares.
I recommend using the beta client which stable in all my testing. The beta client has better support for what WPKG calls "Laptop Mode" or "Off-line Mode". This prevents the software from trying to do things when working off-line. All software is installed at boot time prior to letting the user log into the system.
As with all open-source software, it is recommended that the manual and all documentation be completely read before asking questions. If you don't and the answer is in the manual or other documentation, you will probably be directed to read more. However, the community is active and quite helpful with problems.
The software can be broken down into four main parts. Three of them is server configuration and the other is the client configuration. The first part is the hosts configuration.
All settings for hosts is contained in a file called hosts.xml. This file is easily editable and maintained from any machine with write access to the share. WPKG has a basic reg-ex engine built in to help apply profiles to a group of similarly named machines. This is ideal if machines are named and numbered based on department. Below is an example of some hosts and specific profiles associated with those hosts.
The first is a static host name and it gets any software in the custom profile. The second entry is for any machine that begins with sales will get software from the sales profile. The third is the same but for another department.
The second part is for configuring the various software profiles. Each profile has a set of software applied to it, and only those machines associated with that profile will get that software deploy, upgraded and removed.
The third part of the configuration is the packages. This is where all information for each application or script that is to be deployed out to the machine is stored. With WPKG, not only applications but console commands and scripts can be used. This makes it useful for doing other general maintenance. WPKG uses various types of check and conditional checks to make sure software is only deployed when it meets certain guidelines.
The client settings can be configured with the GUI client and then exported for importing into the rest of the clients. In my setup, I keep the settings on the share. I then use a script to copy the settings to the local machine at log-on and import into the client. This is so I can change the settings on the server and have it auto update the clients when they log on if required.
In conclusion, using WPKG as an open-source solution for software management is both cost effective and is easily managed in a network environment for any size of company. You have also saved your company money that can be used for something more useful.
Some administrators choose the easy way and just give local admin privileges to the user on the machine. It is then left up to the user to update and patch their system at their convenience. This is not only poor administration practice from a security standpoint, but it is also a nightmare to keep track of rogue software installs and licensing.
As a supporter of open-source solutions, WPKG is a great solution for managing software deployment on a small or large network with Windows based machines. It is easy to deploy, manage and saves administrators from hours of headache and frustration.
WPKG [www.wpkg.org] only requires a small service to be installed on the workstation. The server side of the package is just a SMB share which contains XML configurations and available applications for deployment. This means your file server can run Microsoft Windows, Linux or any other operating system that has the capability to provide network shares.
I recommend using the beta client which stable in all my testing. The beta client has better support for what WPKG calls "Laptop Mode" or "Off-line Mode". This prevents the software from trying to do things when working off-line. All software is installed at boot time prior to letting the user log into the system.
As with all open-source software, it is recommended that the manual and all documentation be completely read before asking questions. If you don't and the answer is in the manual or other documentation, you will probably be directed to read more. However, the community is active and quite helpful with problems.
The software can be broken down into four main parts. Three of them is server configuration and the other is the client configuration. The first part is the hosts configuration.
All settings for hosts is contained in a file called hosts.xml. This file is easily editable and maintained from any machine with write access to the share. WPKG has a basic reg-ex engine built in to help apply profiles to a group of similarly named machines. This is ideal if machines are named and numbered based on department. Below is an example of some hosts and specific profiles associated with those hosts.
The first is a static host name and it gets any software in the custom profile. The second entry is for any machine that begins with sales will get software from the sales profile. The third is the same but for another department.
hosts.xml
<host name="host1" profile-id="custom" />
<host name="sales.+" profile-id="sales" />
<host name="cs.+" profile-id="cs" />
<host name="sales.+" profile-id="sales" />
<host name="cs.+" profile-id="cs" />
The second part is for configuring the various software profiles. Each profile has a set of software applied to it, and only those machines associated with that profile will get that software deploy, upgraded and removed.
profiles.xml
<profiles>
<profile id="standard">
<package package-id="firefox" />
</profile>
<profile id="sales">
<depends profile-id="standard" />
<package package-id="acrobat" />
</profile>
<profile id="cs">
<depends profile-id="standard" />
<package package-id="photoshop" />
</profile>
<profile id="custom">
<depends profile-id="standard" />
<package package-id="vmware" />
</profile>
</profiles>
<profile id="standard">
<package package-id="firefox" />
</profile>
<profile id="sales">
<depends profile-id="standard" />
<package package-id="acrobat" />
</profile>
<profile id="cs">
<depends profile-id="standard" />
<package package-id="photoshop" />
</profile>
<profile id="custom">
<depends profile-id="standard" />
<package package-id="vmware" />
</profile>
</profiles>
The third part of the configuration is the packages. This is where all information for each application or script that is to be deployed out to the machine is stored. With WPKG, not only applications but console commands and scripts can be used. This makes it useful for doing other general maintenance. WPKG uses various types of check and conditional checks to make sure software is only deployed when it meets certain guidelines.
packages.xml
<package
id="firefox3"
name="Mozilla Firefox 3"
revision="302"
reboot="false"
priority="10">
<check type="uninstall" condition="exists" path="Mozilla Firefox (3.0.2)" />
<install cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</install>
<install cmd="%SOFTWARE%InternetfirefoxFirefox Setup 3.0.2.exe -ms" />
<upgrade cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</upgrade>
<upgrade cmd="%SOFTWARE%InternetfirefoxFirefox Setup 3.0.2.exe -ms" />
<remove cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</remove>
<remove cmd="%PROGRAMFILES%Mozilla Firefoxuninstallhelper.exe /s" />
</package>
id="firefox3"
name="Mozilla Firefox 3"
revision="302"
reboot="false"
priority="10">
<check type="uninstall" condition="exists" path="Mozilla Firefox (3.0.2)" />
<install cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</install>
<install cmd="%SOFTWARE%InternetfirefoxFirefox Setup 3.0.2.exe -ms" />
<upgrade cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</upgrade>
<upgrade cmd="%SOFTWARE%InternetfirefoxFirefox Setup 3.0.2.exe -ms" />
<remove cmd="taskkill /F /IM Firefox.exe">
<exit code="0" />
<exit code="128" />
</remove>
<remove cmd="%PROGRAMFILES%Mozilla Firefoxuninstallhelper.exe /s" />
</package>
The client settings can be configured with the GUI client and then exported for importing into the rest of the clients. In my setup, I keep the settings on the share. I then use a script to copy the settings to the local machine at log-on and import into the client. This is so I can change the settings on the server and have it auto update the clients when they log on if required.
In conclusion, using WPKG as an open-source solution for software management is both cost effective and is easily managed in a network environment for any size of company. You have also saved your company money that can be used for something more useful.
