Just wanted to add a quick note about this as I couldn’t find a reason why dynamic DNS on my Ubuntu 9.04 system were failing. I had all the right perms, ownership, etc. I even opened up the files to full world writable and still, I got errors that the journal files could not be written to.

Log snippets:

error: journal open failed: unexpected error

jnl: create: permission denied

Learning as I go… there’s a thing in Ubuntu called Apparmor. Never even heard of this. This is what was keeping the files from being written to by the bind daemon.  I guess Apparmor has been in this for a while now, but for several yeas now, I have not run into a situation where I had to mess with it.

Here’s what you change.  And keep in mind, this is NOT the correct way to handle this on a production or public DNS server.  You’ll need to read up more on the correct config for this one.  But on my tiny LAN or at home, here’s what I did.  In the /etc/apparmor.d directory, edit the usr.sbin.named file.  Find the line:

/etc/bind/** r,

Change it to:

/etc/bind/** rw,

Then restart the apparmord daemon.  If your DDNS config in Bind and DHCP are correct, you should start seeing successful updates now.

Here’s a coulple links that were helpful on the DDNS setup:

http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ubuntu-server.html
http://ubuntuforums.org/showthread.php?t=274665
http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Also, I wanted to make a note to myself. Creating a new key for DDNS:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-update-key

That creates keyfiles in which you’ll get your key string, this is added in your dhcpd.conf and named.conf.* files as “secret”.   RTFM dnssec-keygen. and read up on the links above. :)

In Exchange 2007, you have a nice little GUI to set your FQDN on your Send Connector. (Mine is called Outbound, as shown below.)

You can see my FQDN, set under the Hub Transport/Send Connectors of the Exchange Management Console.

However, if you send mail out to an external address, you’ll notice in the headers that your internal server name is still listed! What!? What’s the point of the GUI?

You have top open Exchange Management Shell, and type in a command to solve this. It’s easy.

As shown above, you just type in the command:

set-sendconnector “Outbound” –fqdn mail.1stbyte.com

Replace “outbound” with the name of your send connector, and of course, change to your own FQDN, not mine.

It will come back in error, or success. If success, you can check your headers on and external account right away.

Have fun!

Had to spend a few minutes reminding myself how to configure this. Easy as pie! Even works with images now!!! Yay!

While in a “New Blog” in Word 2007, click the Manage Accounts buton. (A wizard will probably start the process the first time you do this, but here’s the manual way.) This assumes you already have a WordPress blog setup, of course. I tested this with my own WordPress installation, on my own web host, so I am not sure if this works the same with “Wordpress.com”, but I would assume so.

In the Blog Accounts, you can click New or Change.

In the next screen, enter your domain URL and make sure it ends with /xmlrpc.php.

Add your username and password, and for me, I like to Remember, but that’s up to you.

Then click Picture Options.

Make sure you have selected “My Blog Provider”, and click OK.

Then you’ll be back at the New WordPress Account windows, just click OK.

You should see a message that “Account created successfully” or something like that. If not, the errors are not very helpful, but when I did get one, it was just that I didn’t enter the right password. And remember, this will be the username and password IN YOUR WORDPRESS system, NOT your hosting system. (stupid mistake I made, I knew better!)

One thing I don’t see how to do, is select the account I want to publish to within Word, besides the obvious “default” setting. Maybe I need to do that in each doc. I will post when I test it.

EDIT: Duh! Right in Word, at the top of the doc is an Account selection. Just select the account for the blog, if you have more than one.

I’ve run into this a few times, thought I’d record the solution for once so I remember it.

After adding a new user account, the user does not show up in Outlook’s Global Address List, but does show in All Users. (If you click “To” in a new message, for example, and in the Select Names windows under “Show names from the:” drop down, you select All Users.) Even if I go into Active Directory Sites and Services and manually force replication it does not work. (under the NTDS Settings for each server) Normally, I would even go into Recipient Update Services and manually update, but this does not work either.

I found out that if you have Outlook in Cached Exchange Mode, the Global Address List does not update for up to 24 hours. I don’t know the details on that, but I can force it to update. This is on a per-machine basis, so doing this across the whole network won’t work. (Although, there may be a way to do this, I just don’t know how.)

Go into Outlook, go to Tools, Send/Receive, then click Download Address Book. Make sure you have Global Address List under the Choose Address Book drop down, and click OK. Problem solved.

By the way, I am using Exchange 2003 and Outlook 2003.

In Internet Explorer 7, Tools, Internet Options, Advanced tab. The checkbox for “enable integrated windows authentication” is very confusing. You would think this means “just log me in with my windows credentials”, but no, there’s more to it than that. And what I found was, it simply enables “Negotiate”. It set’s this registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate

After some research, this actually means that IE will negotiate between NTLM or Kerberos authentication. In some situations, Kerberos will fail. I don’t understand well enough to explain this one. But that’s ok, because the point of all this is… I want IE to authenticate automatically on my Intranet! Anyway, if you uncheck this setting in IE, it will set Negotiate to disabled. (0) If Negotiate is disabled, IE will use NTLM by default. BAM! I can login automatically.

Wouldn’t it be much more helpful if Microsoft had labeled that for what it was? Like: Negotiate Kerberos or NTLM Authentication.

Word of caution… some Intranet apps might depend on Kerberos, so this might cause more problems down the road of you disable this on all your client systems.

Another note… IE6, as I understand it, does not behave this way. It has a similar setting to enable windows authentication and I believe it uses NTLM by default. I HAVE NOT TESTED THIS, and I don’t know for sure if this is true, but according to my Googling, this is the case.

I found this site with info regarding EnableNegotiate:

http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry

Here’s another blog you might find useful:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

One of the main reasons I don’t use Firefox in an Intranet environment, is due to the logon prompt from IIS Windows Authentication. I keep having problems with IE7 on Vista losing the auto-NTLM auth, where it asks for my password, when it’s supposed to just log me in based on my domain logon! ARgh! So I started Google-ing and found out that Firefox can do this too!!! I never knew that, in all these years of Firefox use!

You have to set which sites are allowed to do this though. But that’s fine, not like I login with NTLM all over the place, just a couple sites from the Intranet. Go to about:config in Firefox, lookup all the “network:auth” items and you’ll see this one:

network.automatic-ntlm-auth.trusted-uris

Open that, and enter the website address. (even port if needed) BAM! That’s it!

For example:

webapp.servername.local:8080

This will use automatic NTLM logons based on your windows logon. But note: I do not know if this works if your machine is not a member of a domain.

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about things… J

I found a ton of help on Google for this “Service Unavailable” issue on the OMA virtual directory for Exchange 2003. Unfortunately, this was not something readily available. Several sites will explain the proper config for all the virtual folders in IIS, which you should obviously follow, but they don’t mention one little thing… OMA uses ASP.net 1.1. If you go into the OMA properties in IIS, change it from ASP.net 2 to ASP.net 1.1. After that, it all worked beautifully!

Oh, and by the way, I ran into this issue while setting up some Windows Mobile devices with ActiveSync and Direct Push at a couple clients, one was running IIS5 on Windows 2000, and the most recent was running IIS6 on the Windows 2003. The solution was the same on both of them.

For some reason or other, Firefox does not have the option under the Tabs option items to “force links that open in new windows to open in:”. I have Firefox 2.0.0.7 now, and I don’t have that under Tabs options. But, if you open about:config in your address bar, you can change the setting manually.

Change: browser.link.open_newwindow

Mine was set to 3, which told the popups to always open in a new tab. I like that, mostly. But some web sites, TinyMCE editor in this case, like to open a popup and return you back the the original page. I keep losing that original popup. So I wanted to turn off my popup forced to new tab option. To make this behave normally, I set it to 2. All worked just peachy!