Software - 6

Current Linux implementation (Netatalk) of Apple Filing Protocol does support all the good stuff properly. Mainly:

• DHX2 (Diffie-Hellman Key Exchange 2) -based authentication: the old auth was plain-text, this is a huge improvement, all modern OS Xs have this as mandatory
  
• AFP Lock Stealing, + couple of other features: See Apple's requirements for Time Machine server
  

In my case, there is a HFS+ sparse file on an EXT4-partition. Setting this up with Time Machine is a breeze, however TM will "think" a while before mounting the sparse file and actually running the backup. There are a couple of user testimonials that occasionally (too often) TM will freeze and fail to do a backup. Also when the failure occurs, TM will fail to continue operation and a full backup media reset will be required.

The source of my information is QNAP wiki, which describes the process on old(ish) Mac OS X and Netatalk. I got my backup running based on that information. Also, if there are earlier reported failures to backup, I'll report back here.

The above setup sure is a bitch to get running. There is plenty of documentation and tools scattered around the Web, but it looks like the user funnel goes something like this:

• 1.000.000 users running Samba on their Linux
• 1.000 out of the above users are running OpenLDAP on their Linux(es)
• 1 out of the above users are running Samba with passdb backend = ldapsam

In the end, there is no definite document or tool to rely on. I spent about two weeks gathering information and trying out various approaches. I had to run my LDAP-queries unencrypted while sniffing the traffic with Wireshark to get an idea what kind of information is being requested.

In the end, just getting LDAP working on your server(s) is difficult enough for most people to get discouraged by the constant failures while attempting the setup. The advantages are there, being able to authenticate SSH-shell, secured web pages, WebDAV and any number of applications against exactly same user name / password -pair in a tested and secure manner is an execllent reward. Just having HTTP Basic Auth running against existing Linux userbase without LDAP is very difficult and mostly requires poking unnecessary holes to system security to get it running.

One of the really bad things is that not all documentations describes a simple step-by-step -process of making the setup secure. There is no need to allow all access to everybody, for example a simple:

olcAccess: {0}to attrs=userPassword,shadowLastChange
    by self write
    by anonymous auth
    by dn="cn=admin,dc=example,dc=org" write
    by * none

will make harvesting accidentally stored plain text -password much more difficult than the out-of-the-box solution does. All stored LDAP-passwords should be hashes, right? Not all tools default doing that.

When all the Samba-parts are in the LDAP, the above issue raises again. Using LanManager-passwords is out right stupid, they can be brute-forced with ease, but NTLM-passwords need to be protected with similar access-line:

olcAccess: {1}to attrs=sambaLMPassword,sambaNTPassword
    by dn.base="cn=admin,dc=example,dc=org" write
    by dn.base="cn=sambaservers,dc=example,dc=org" write
    by anonymous auth
    by self write
    by * none

After that, there is some sanity in system setup.

To get all the "Samba-parts" working into your LDAP, Microsoft Knowledgebase article Q243330 about Well-known security identifiers in Windows operating systems is a must-have reference. While debugging the LDAP-queries you will face something like this:

ldapsearch -x -b "dc=example,dc=org" \
"(&(&(objectclass=sambaGroupMapping)(sambaGroupType=4))
(|(|(|(|(|(|(|(|(|(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2))(sambaSIDList=S-1-5-11))
(sambaSIDList=S-1-22-2-1099))
(sambaSIDList=S-1-5-32-545))
(sambaSIDList=S-1-22-2-1101))
(sambaSIDList=S-1-22-2-1102))
(sambaSIDList=S-1-5-32-544)))))" cn gid

Initial impression will be WTF!? However, most of the SIDs are needed in your LDAP to make Windowses happy.

Some kind of setup wizard would be nice. It would save couple of weeks debugging / setup time.

My production box crashed with:

** glibc detected ** nginx: worker process: malloc(): memory corruption: 0x00000000012f9d20 ***
** glibc detected ** nginx: worker process: malloc(): memory corruption: 0x00000000012f9d20 ***
2013/02/21 21:34:30 [alert] 20048#0: worker process 7258 exited on signal 9

Which was bad.

I like ETags to reduce page loads, and Nginx does not support them. To get it support ETags, there is a module in GitHub, which I am using.

After a nice couple of hours of debugging it turned out that all other places in Nginx-code call ngx_memzero() before calling ngx_open_cached_file(). It turned out to be the crucial mistake in the module. I filed an issue to the original author to notify everybody else.

My production boxes did actually return weird errors now and then, which I didn't think much of. Weird things happen sometimes. However, this fix seems to help, there are no worker processes dying and page load erros seem to gone away. Hopefully the box does not crash again.

Adblock Plus is a great add-on for Fire-/Waterfox, Chrome and Opera. It really keeps the unwanted commercial crap out of your browsing experience. There are so many badly designed and implemented ads in the world, that they triple or quadruple page loading time, look ugly and sometimes when programmer has really been a total idiot, a failure to load the stupid ad crashes the JavaScript functionality which would be otherwise needed. Programmers: Test your site with ads blocked, please.

My point is, that if ad programmers are idiots, equally idiotic programmer in Adblock Plus project decided that I cannot type. Sure, now and then my fingers do not hit they keys they should have been, but I most definitely don't need a machine to fix my typos. That's for sure. Now the braniac that made the decision that I cannot type, enables this useless helper as default.

The entire feature is fucking useless! It never works when I mis-type, but it always triggers when I enter the address correctly. Looks like somebody else has the same issue and wrote instructions on how to disable the I-think-you-wrote-it-wrong-I'll-make-it-much-worse-for-you -addon.

Can you show me a single working example, where machine would 100% detect user's mistake and 100% of the time correct it properly? No you cannot. Nobody can.

What happened to Symantec / Norton?

They used to be the backup company, but they have not release anything after Norton Ghost 15.0 (yes, I am an user). That is from Nov 2009, making newest version over 3 years old! On top of that they announced that Windows 8 will not be supported. WTF!? That is an excellent indication of their commitment to the product. Those who cannot understand sarcasm: they abandoned the product years ago.

Screw you Symantec! I'm going home.... erhm... to Acronis True Image. They release updates, they release new versions, they support Windows 8. Their level of commitment is from a totally different planet than Symantec.

Is it just me or is vim's automatic comment continue to the next line completely unnecessary? Every time I copy/paste anything into vim it makes the smart choice and completely messes up the code. And this is enabled as a default! WTF?

Something like this will help:

:set formatoptions-=cro

This reads, disable following:

• c
  • Auto-wrap comments using textwidth, inserting the current comment leader automatically
• r
  • Automatically insert the current comment leader after hitting <Enter> in Insert mode
• o
  • Automatically insert the current comment leader after hitting 'o' or 'O' in Normal mode

After that copy/paste works as it should.

My weapon-of-choice in Linux CLI is vim. However, out-of-the-box it acts very stubbornly when editing files with modeline. The nice modelines seem to have zero effect. WTF!?

To my amazement, it appears that modelines are turned off as a default. It can be verified with a simple echo command from vim:

:echo &modeline

will yield 0 as an answer. So step 1 is to enable them in ~/.vimrc, if the file does not exist, create it. If it does exist, make sure that it contains following:

set modeline

Then confirm that echo will display 1 to indicate that modeline is enforced. What a great idea to not enable them! Nice going suckers!

To create your own modeline, put something like this into your file:

# vim: tabstop=4 shiftwidth=4 softtabstop=4 expandtab:

It reads:

• tabstop=4
• The width of a TAB is set to 4. Still it is a \t. It is just that vim will interpret it to be having  width of 4.
• shiftwidth=4
• Indents will have a width of 4
• softtabstop=4
• Sets the number of columns for a TAB
• expandtab
• Expand TABs to spaces
  

MagicISO is ancient ISO-image editing app. If you want to install it and see the ancient look it has and notice that the trial versio is hugely crippled, you may choose to uninstall it like I did.

Guess what! It does not remove the shell extension and the DLL-file associated with it. The software is gone and there is very little you can do to get rid of the context menu.

I found that NirSoft's ShellExView is the tool for that job. Just pick the MagicISO context menu and disable it. The menu does not disappear from the context menu automatically. Explorer needs to be reloaded for that. I simply killed the process with Windows Task Manager and restarted it.

Done!

Fedora 17 does come with pre-built Bacula, but the important virtual tape-changer software is a separate SourceForge project and Fedora-people don't seem to include it.

I found a SPEC-file for vchanger and built binaries. The src-RPM is also there, go get them if you need'em. The goodies are at http://opensource.hqcodeshop.com/Bacula/.

My weapon of choice for this blog is Serendipity Weblog System.

The criteria were simple:

1. Written in PHP
2. Not WordPress
3. Must support PostgreSQL
4. Not WordPress
5. Enough popularity / reputability, that one will want to run the software
6. and finally: Not WordPress

Serendipity seems to have all 6 of the above. It is a pain to install the way I did it. I'm mod_rewriting the /serendipity/ directory away and it causes a ton of pain. I managed to do that, but it is obvious that the authors did not plan this software to be (ab)used like that.