I setup a new computer for a client, and Windows 7 would not map the drives in the logon script for the domain account.

Ran into this issue, again. Our domain uses a VBScript as our login script, and it appears to run. It runs correctly if started manually, just not at user login. It fails to reconnect the mapped network drives and they are not showing up in Windows Explorer. So, here’s a quick tip.

Add this to your registry:

Under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Add this DWORD value:
EnableLinkedConnections = 1

Then reboot.  After I added this to Windows 7 Pro registry as the administrator, of course, and then login as my standard user account, all my mapped drives were there and available.

I didn’t bother looking into how or why that works, so I can’t give any background info.  I just needed it to work.

Good luck, hope that helps others!

Well… not much of a guide really.  Just a very quick how-to on what I did to get Time Machine on my Macbook Pro with OSX Lion 10.7 to save the backup data to my Linux server network share using AFP, rather than SMB (Windows Share), a Time Capsule, or and Apple Server.  I will attach my working config files for your reference as well.  Note that, 1) I am using the source code for Netatalk, compiled and installed, not the Ubuntu or Debian package, and 2) I am assuming you are comfortable with installing software from source.  Last note, I owe a HUGE THANK YOU to post I found on the basic’s of this configuration. (located here: http://www.trollop.org/2011/07/23/os-x-10-7-lion-time-machine-netatalk-2-2/)  I had a hard time getting anything working otherwise, and that post mostly got things working for me.

I really love this setup, because:

A) I am running a tiny ITX case with a 1.5TB ZFS mirror in it for data integrity. (back when drives were cheap, this makes a powerful and inexpensive NAS)  (oh and I am running this using the zfs-native package on Ubuntu Lucid! Love it!)

B) I love having the network-based Time Machine running, because it just runs whenever I am on my home network. I don’t have to think about, “Well, should I plug in my USB drive and backup tonight?”  It just runs all the time.

C) I also have Crashplan running on that ZFS pool, to save all my local machines here as well.

None of that has anything to do with getting an AFP share running, so, moving on.  The instructions below don’t cover the creation of your sparce file for the AFP share, which Time Machine uses.  Once you get to the Sixth step below, you’ll need to create that sparce bundle and copy it to your share. I used the script located on this post to generate my sparce bundle and copy it over to my server share. Anyway, to get your Mac talking to your Linux box, setup Netatalk like below. :)

FIRST:

Go get the latest Netatalk source code from Sourceforge.  http://netatalk.sourceforge.com/

Download and un-tar that code into a directory of your choice. But before we configure and compile this…  we need some supporting software.

SECOND:

Get the supporting software packages for Avahi and other items.  We need Avahi for zeroconf and other libs for authentication purposes.

I ran this apt-get command:

apt-get install avahi-daemon mdns-scan \
 avahi-utils libavahi-common-dev \
 libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev \
 libssl-dev libacl1-dev libwrap0-dev libgcrypt11-dev libdb4.8 libdb4.8-dev

Install the above items, then we can move on to the compile and install of afpd/Netatalk.

THIRD:

Now, “cd” to the directory where you un-tar’d the netatalk download code.  For example, mine was in this folder:

cd /mpool/Shares/Shared/netatalk-2.2.1

Assuming all the above packages installed successfully, let’s run ./compile. Here’s my command line:

./configure --enable-debian --with-acls --enable-ddp  --enable-zeroconf

Then, if that ran successfully, you should end up with some summary information as follows:  (may not be exact)

Using libraries:
    LIBS = -lpthread  -L$(top_srcdir)/libatalk
    CFLAGS = -I$(top_srcdir)/include -D_U_="__attribute__((unused))" -g -O2 -I$(top_srcdir)/sys
    SSL:
        LIBS   =  -L/usr/lib64 -lcrypto
        CFLAGS =  -I/usr/include/openssl
    LIBGCRYPT:
        LIBS   = -lgcrypt
        CFLAGS =
    BDB:
        LIBS   =  -L/usr/lib64 -ldb-4.8
        CFLAGS =
Configure summary:
    Install style:
         debian
    AFP:
         Large file support (>2GB) for AFP3: yes
         Extended Attributes: ad | sys
    CNID:
         backends:  dbd last tdb
    UAMS:
         DHX     ( SHADOW)
         DHX2    ( SHADOW)
         RANDNUM ( SHADOW)
         passwd  ( SHADOW)
         guest
    Options:
         DDP (AppleTalk) support: yes
         CUPS support:            no
         Apple 2 boot support:    no
         SLP support:             no
         Zeroconf support:        yes
         tcp wrapper support:     yes
         quota support:           yes
         admin group support:     yes
         valid shell check:       yes
         cracklib support:        no
         dropbox kludge:          no
         force volume uid/gid:    no
         ACL support:             yes
         LDAP support:            no

Notice the section on “UAMS” containing “DHX” and “DHX2″?  You must have those listed, or your Mac OSx Lion system wont work on it.  It needs the encrypted authentication.  If you don’t see those listed, you are missing some libraries on your system.

FOURTH:

Now if all is well…  run make.

make

make install

Run the above command, while still in that source directory.

Netatalk will install binaries for you under: /usr/local/sbin  and config under: /usr/local/etc/netatalk.
It also installs a basic startup script under your /etc/init.d directory called, easy enough, “netatalk.”

FIFTH:

Setup your config.  I’ll attach my configs for your reference, but here’s a couple basics.

1. afpd.conf  - comment out anything else, and add this line:

- -udp -noddp -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword

2. AppleVolumes.default – also comment out others, and add these.
These are just an example, based on my config. You’ll need to adjust the names and paths.
(NOTICE the “tm” at the end of the time machine share below, you must have that for TM to work.)  

/dapool/bu/tm TimeMachine allow:greg cnidscheme:dbd options:usedots,upriv,tm
/mpool/Shares/AppleShare AppleShare allow:greg cnidscheme:dbd options:usedots,upriv

3. netatalk.conf – I didn’t have this file on one system, so I just created it and added the config below:

#### machine's AFPserver/AppleTalk name.
ATALK_NAME=`echo ${HOSTNAME}|cut -d. -f1`

#### server (unix) and legacy client (<= Mac OS 9) charsets
ATALK_UNIX_CHARSET='LOCALE'
ATALK_MAC_CHARSET='MAC_ROMAN'

#### Don't Edit. export the charsets, read form ENV by apps
export ATALK_UNIX_CHARSET
export ATALK_MAC_CHARSET

#########################################################################
# AFP specific configuration
#########################################################################

#### Set which daemons to run.
#### If you use AFP file server, run both cnid_metad and afpd.
CNID_METAD_RUN=yes
AFPD_RUN=yes

#### maximum number of clients that can connect:
AFPD_MAX_CLIENTS=20

#### UAMs (User Authentication Modules)
#### available options: uams_dhx.so, uams_dhx2.so, uams_guest.so,
####                    uams_clrtxt.so(legacy), uams_randnum.so(legacy)
AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so"

#### Set the id of the guest user when using uams_guest.so
AFPD_GUEST=nobody

#### config for cnid_metad. Default log config:
CNID_CONFIG="-l log_note"

#########################################################################
# AppleTalk specific configuration (legacy)
#########################################################################

#### Set which legacy daemons to run.
#### If you need AppleTalk, run atalkd.
#### papd, timelord and a2boot are dependent upon atalkd.
ATALKD_RUN=no
PAPD_RUN=no
TIMELORD_RUN=no
A2BOOT_RUN=no

#### Control whether the daemons are started in the background.
#### If it is dissatisfied that legacy atalkd starts slowly, set "yes".
ATALK_BGROUND=no

#### Set the AppleTalk Zone name.
#### NOTE: if your zone has spaces in it, you're better off specifying
####       it in afpd.conf
ATALK_ZONE=@AFP

SIXTH:

Start ‘em up!

/etc/init.d/netatalk start

That should start up the services. I did a quick check using “netstat -tapn” and if you see these below, you should be running:

tcp        0      0 0.0.0.0:548             0.0.0.0:*               LISTEN      22146/afpd
tcp6       0      0 ::1:4700                :::*                    LISTEN      22144/cnid_metad

Again, may look a bit different on your system, but you should at minimum see the afpd process on port 548 and soemthing listed for “cnid_metad” on its default port of 4700.  I don’t know why mine says tcp6, but it works, so I am not complaining.

I should note, I set this up on two systems.  One worked right away, the other wouldn’t start cnid_metad.  Your startup should respond with:

..Starting Netatalk services (this will take a while):  cnid_metad afpd.

See that “cnid_metad” listed in the services starting?  My problem system wouldn’t show this, it only showed afpd.  As a result, Time Machine and Finder on my Mac would give me an error about CNID DB not working and “using temporary” or something like that.  Time Machine failed everytime.

What I did to fix it, was a cheesy hack.  I just found the lines below in my /etc/init.d/netatalk script:

# prepare startup of file services
if [ "x$CNID_METAD_RUN" = "xyes" -a -x /usr/local/sbin/cnid_metad ] ; then
   echo -n " cnid_metad"
   /usr/local/sbin/cnid_metad $CNID_CONFIG
fi

I changed the above to look like this:

# prepare startup of file services
if [ -x /usr/local/sbin/cnid_metad ] ; then
   echo -n " cnid_metad"
   /usr/local/sbin/cnid_metad $CNID_CONFIG
fi

I don’t care if CNID_METAD is “yes” or not, I just want it to run!  Everytime!  So I just check if that binary is executable and launch it.  This worked!!  And Time Machine connected to my AFP share (which was this: afp://draygon/TimeMachine ) and started backing up!

I won’t go into the Time Machine config on your Mac here. All you really need to do is in the “Select Disk” button, it will list your available disks, just select the one on your server.  I did make sure I could connect to it first.  In Finder, go to “Go” on the menu and select “Connect to Server”.  Type in the server path or browse to it.  ( afp://YOUR_SERVER_NAME/YOUR_SHARE_NAME  )  If that opens, and you can create files in there in Finder, you should be good to go!

It should be obvious, as well, that on your Linux system you need a user account created with a matching password (which Finder on your Mac may ask for).  You should also have file system permissions configured on your Linux system accordingly.  If not, you will have trouble connection and/or creating files.  Therefore, Time Machine won’t work either.  So make sure the “sharing” stuff works.

My Config Files:

Located in /usr/local/etc/netatalk, the links below will open up at pastebin.com.

afpd.conf  - http://pastebin.com/3kvHLLph  

AppleVolumes.default - http://pastebin.com/Z0L7pzGi

netatalk.conf - http://pastebin.com/agVs4RW0

Extra Note:

I wanted to mention this link:  http://lifehacker.com/5691649/an-easier-way-to-set-up-time-machine-to-back-up-to-a-networked-windows-computer 

In order to get Time Machine to use that AFP share, you need to create a Sparse bundle file which saves your data.  The link above has some great instructions on that.  And they link you to this script for your Mac to create the file and copy it, makes it easy!

 EDIT 12/02/11:

On OSX Lion, you apparently DO NOT need to manually create that sparse file.  I had to remove my backup data and recreate it, and when I did, I did not create the sparse file.  I simply opened Time Machine, clicked Select Disk, and there was my network share. I selected that network share and it created a new sparse file and started to backup automatically. Nice!!

Maybe that’s a Lion thing, I don’t know. BUT YOU DO NEED to tweak your Mac to allow backup to an unsupported network share.  The articles listed above mention using the “secrets pref pane” in OSX and a checkbox to allow the unsupported backup location. PrefPane can be downloaded from this site:
http://secrets.blacktree.com/ 

(you can really BREAK your Mac with that program with some of those settings, so use at your own risk!  I only used it to set my Time Machine to use Linux.)

Its a quick-n-easy install.  Open that program once installed, go to the Time Machine section and check the box to allow unsupported backup locations.  There is a manual, command line way to do this as  well.

Qwest / Centurylink DSL Web site timeouts, hangups, or failures while running a firewall or router with static IP addresses.

Recently I setup the Qwest DSL service in my home. It worked great, but after a couple days I started to get hang ups and timeouts or hangups while browsing the web. Speed tests still showed the correct speeds and rebooting all my hardware didn’t solve the issue.

I run PFSense as my internet firewall. (check it out, http://pfsense.org ) I love PFSense, it gives me very fine grained control over just about everything, even simple traffic speed limiters for certain parts of my LAN. (like my kid’s systems, I don’t want them eating my my bandwidth with Youtube!) In the past, I’ve had some issues with my client networks and firewalls while using Qwest DSL and PFSense. I found almost ZERO help on Google searches, which I find surprising, because I can’t be the only one with this setup. But, to get to the point, you need to setup the Qwest modem advanced options to use Dynamic Routing. I use version 2.

If I plug in and connect directly, I do not get the connectivity issues, so I knew something with the PFSense was, to put it mildly, not being cooperative. Setting to Dynamic Routing fixed this issue on 3 client networks AND on my recent install at home.

Note, too, that all these networks have static IP’s or static blocks. I tried setting to use transparent bridging, which didn’t help. But one time I setup PPPoE directly on PFSense, and that did help. In the end, the only way I could reliably run PFSense on Qwest DSL was to disable NAT on the modem, setup Dynamic Routing, and purchase static IP address(s). Keep in mind, you need to use the “Static IP” setup from Qwest and NOT run transparent bridging, like I assumed. Read their docs, there’s a special setup for this in the Quick Setup section of their modem firmware.

Also, I had this issue on most of the later model modems and firmware, but NOT on the oldest Actiontek modems running old firmware. (like the 701′s) But on the newer Qwest firmware (with the blue background and preschool-style-coloring :) I had to enable Dynamic Routing. Also, I have the newer Zyxel Q1000Z modem now, same issue.

I have no understanding of why this happens. It doesn’t make any sense to me. Although, just to throw an idea out there, maybe it has to do with the way the modems manage hops from the external destinations.  From what I read, dynamic routing has something to do with maintaining the hops between routers online.  Maybe, since using the modem with static IP’s basically sets it into bridging mode, it incorrectly maintains that hop information, or at the very least it doesn’t identify itself correctly.  So what may happen is some routers out there get flaky and don’t respond well with your bridged modem by the time they communicate with your firewall.  Some do fine though, which would explain why some sites fail and some don’t.  I don’t believe PFSense is doing any dynamic routing protocol work, at all.  It’s just firewalling my LAN, right?  So all I can assume is, since the Qwest modem is in between me and the rest of the internet, IT has something to do with that communication breakdown using the dynamic routing.  Of course, I really don’t know what I am talking about and making complete assumptions!  But hey, its just an idea. Maybe someone who know’s more than I do can shed some light on it. :)

Been using FreeBSD 8 and 8.1 for over a year now, love it.  Have root on the ZFS mirror, works great!  However, I’ve struggled to find a good way to set the /boot/loader.conf variables for kmem_size and zfs.arc_max. Everything I tried didn’t seem to work, so I ended up leaving all that out and just let the default “auto-tuning” to its thing.  But whenever I tried to copy large files, like 20+ GB files, it would crash the server.  It would give me that “kmem_map too small” kernel panic.

In addition, I have a GB network and fairly new 500GB drives in my array, which, are not high-end, speedy drives, but should operate fairly well.  I was getting network transfer speeds of about 45MB/s to 55MB/s, varying.  But usually managed to stick to about 50 fairly regularly.  I am not using an scientific method of measuring this, only the Windows 7 transfer window.  So it’s not something I’d rely on, but it was close enough to see *about* what we’re doing.

I finally did some reading, and found that setting my vfs.zfs.arc_max to about one-half my RAM, minus 512MB, and setting vm.kmem_size to 1.5x my RAM, it would stop giving me the kmem_map panic.  I found a wide range of suggestions out there, but in general, there were more suggestions to set the kmem_size higher, and keep the arc_max lower than half the ram.   Also, I found the general thought was you would be best having 8G of RAM in the first place and auto-tuning seemed to work best.

For my server, running 8.1-RELEASE, I have an i3 cpu on an  Intel server board, with 4G RAM.  My ZFS is a mirror on the Root, plus my main storage using 6 drives, 500G  ea. (varying makes), in a RAIDz2 array. So I have no UFS, only ZFS.  Once I set those two parameters, I jumped from about 50MB/s to 72MB/s.  And my 48G transfer test of files moved over no prob.  FINALLY!! I love it!

Here’s my relevant loader.conf variables:

vm.kmem_size_max="8G"
vm.kmem_size="6G"
vfs.zfs.arc_min="1024M"
vfs.zfs.arc_max="1500M"
vfs.zfs.prefetch_disable=0

Also, I have two 16G swap partitions. (I know, overkill, but I wanted to pre-allocate those on my mirror and leave it for when I upgrade the RAM)

I am sure someone out there with a better understanding would recommend better values, but, it works good enough for me and so far its’ stable.

By the way this server also shares lots of media, VirtualBox VM’s, and also some Postgres and Mysql with Apache/PHP.  It’s not under any load, just a few of us access this system, but we do read/write large files from time to time.

I hope this helps others out there!  Good luck!

Had a fun time today cleaning off some trojans and rootkits.  On this one client system, while trying to go online, the Internet  turned into the Inertnet! (Hahahha! I love that one!)  As usual, I have lots of ideas why, but no real evidence and clients saying “I don’t know how it got there.”  Doesn’t really matter though, it’s there and I am going to clean it off.  I managed to easily scan for and clean off a couple of them, but one would’t detect with any scanner.  AV.exe kept popping up, showing the fake windows security center and Antivirus 2010.  I used Process Explorer to see the offender, but I couldn’t find the file, it was hidden.

I rebooted with UBCD4Win, found the file and deleted it.  Problem is, this caused a mess in Windows. Nothing would load, I always got a “Open With” dialog box.  After some Googling, I found out where to fix that in HKCR in the registry.  In there, there was a setting for .exe files to open, and it was set to use av.exe in the user profile to open them!  How do you like that?!!

I wasn’t able to fix that in the current user profile, it was locked down somehow.  Opening in the Administrator account of XP allowed me to fix it though.  The default value for “exefile” should be set to:

“%1″ %*

(Just google that for more info.)

Ok, so got that all fixed.  Fun how you clean off these bugs, only to leave windows all messed up after!  Next, did all my final scans, tweaks and other items. (lock down IE, disable scripts/Flash/Adobe, add a windows update to Trusted Sites, and force user to use Firefox.  I also changed the icon on Firefox to the one for IE so the user will pretty much always use it!)  Then I tried to get all the updates caught up, only no go!  Wait, I am on the same Internet connection as my system, and it works for me, why not the client system?  Hmm… well they are on an isolated subnet, going through the firewall separately. (keeps their bugs off my systems!)  But, wait, those are the same DNS settings?

AH! Take a look at those NIC properties in XP.  DNS is hard set to 93.188.x.x!  Nslookup shows that as some place at a .com.ua domain. Well, let’s fix that one, and set to DHCP like it should be!  Problem solved, Windows Update works!

Fun stuff!  I’ve cleaned a lot of bugs over the years, and I’ve heard of DNS hijacking, but that’s the first one I’ve seen like that.

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

I was not able to access a newly joined Windows 7 computer on our domain from our Windows 2000 Server.  I just received that error.  “Cannot perform the requested operation”  Sharing was setup ok, permissions and security set ok, firewall was turned off.  I saw an Event ID 2017 on the Windows 7 system, too. Something about “unable to allocate from the system nonpaged pool”.

I found this online. Add the MaxNonpagedMemoryUsage value below in the client’s registry. (Windows 7 system)  Make a restore point first so you can undo if any problems arise.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxNonpagedMemoryUsage

DWORD VALUE: 0xFFFFFFFF

Next, restart the “Server” service on the Windows 7 machine.  Then go back to Windows 2000 Server and try to connect to \\window7machine and see if it can access it now.

This worked great for me, hopefully it works for you too.  However, it may be wise to increase that value in small increments from the default, which I THINK is 0×100000.   I just maxed it out and on my client system to test, and it’s working fine.  Just thought I’d make note of it.  If you have further problems, or this doesn’t fix the issue, remove the value and reboot.  This should return it back to the default.

Get the test commands available:

get-help test*

Should list out the tests available to you.

Test overall system health:

test-systemhealth

Check Outlook Web services:

test-outlookwebservices –identity:amailblox@organization.com | fl

(note the “fl” at the end, helps reading output, otherwise it will not wrap the lines)

This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770″ or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  ”/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)

I found some info on Google searches to get Windows 7 to join a Samba domain controller.  I have Ubuntu 9.04 Jaunty which runs Samba 3.3.2, which I guess does not work.  You need 3.3.4.   Windows 7 needs a registry change:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000

The above need to be added to allow the join to work.  Then find the key below and set those values to 0.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOnSeal”=dword:00000000
“RequireStrongKey”=dword:00000000

The Netlogon values need to be updated, or Windows 7 will not allow domain logons.  You’ll get an error about credentials and no domain controller, or something like it.  Adding the second two will allow the logon.

Adding the registry keys above, plus upgrading Samba, did the trick.  I was able to join Windows 7 to Samba 3.3.4, but I did get a weird error about the DNS suffix being wrong.  I just said OK and left it.  I tried to change it several times after, too, but always get the same error.  System working fine so far though!

As for upgrading Samba, you’ll have to Google that one.  But here’s what I did, in a nutshell. (This is NOT a HOWTO, just a record of my experience, so if you follow this, it might break your system. Just be warned.  A Samba Server book might be nice for more information.)  I had a working domain controller, so I had a SAM database already with SID’s and passwords.  I didn’t want to lose those.  After backing up my server and Samba configs (including all the tdb files) I removed Samba 3.3.2 package from Ubuntu.  Then I downloaded the Samba source tar.gz for version 3.3.4, unpacked and “./configure” and then compiled. (make && make install)

At this point I found all my tdb files and copied them into the default Samba installation, which was different than the Ubuntu package.  I think the original tdb files from Ubuntu are in /var/lib/samba.  I copied all that to /usr/local/samba/var/lock. (the default when compiling from source)  I also setup a link from the original smb.conf in /etc/samba to /usr/local/samba/lib/smb.conf.

Now I’ve got my Windows 7 system logged in and joined to my Samba domain!

Just wanted to add a quick note about this as I couldn’t find a reason why dynamic DNS on my Ubuntu 9.04 system were failing. I had all the right perms, ownership, etc. I even opened up the files to full world writable and still, I got errors that the journal files could not be written to.

Log snippets:

error: journal open failed: unexpected error

jnl: create: permission denied

Learning as I go… there’s a thing in Ubuntu called Apparmor. Never even heard of this. This is what was keeping the files from being written to by the bind daemon.  I guess Apparmor has been in this for a while now, but for several yeas now, I have not run into a situation where I had to mess with it.

Here’s what you change.  And keep in mind, this is NOT the correct way to handle this on a production or public DNS server.  You’ll need to read up more on the correct config for this one.  But on my tiny LAN or at home, here’s what I did.  In the /etc/apparmor.d directory, edit the usr.sbin.named file.  Find the line:

/etc/bind/** r,

Change it to:

/etc/bind/** rw,

Then restart the apparmord daemon.  If your DDNS config in Bind and DHCP are correct, you should start seeing successful updates now.

Here’s a coulple links that were helpful on the DDNS setup:

http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ubuntu-server.html
http://ubuntuforums.org/showthread.php?t=274665
http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Also, I wanted to make a note to myself. Creating a new key for DDNS:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-update-key

That creates keyfiles in which you’ll get your key string, this is added in your dhcpd.conf and named.conf.* files as “secret”.   RTFM dnssec-keygen. and read up on the links above. :)

Well I just have too much fun with things like this. I don’t know where it came from, but the Blogosphere was a great name people use. I suddenly thought of Nettiverse because I was trying to connect my blog with Facebook and Twitter. I thought they were pieces of the virtual universe we take part in, the Nettiverse. Now, many people out there are moving away from the Blogosphere and into the Twitterverse. Or maybe it should be called the Twittersphere. Personally, I like Twitterverse.

What’s bugging me is this, Facebook’s name. I haven’t seen or thought up a cool name for it as it exists in the Nettiverse. Anyone out there with a cool idea?

I thought of BookHole! Hahaha! I like it, makes me laugh because that’s exactly what it is, a Black Hole in the Nettiverse. Once you get in, you can’t get out! It sucks you in and wastes away time! But there must be something more fun to call it? Tweet me if you have any ideas. http://twitter.com/gregthegeek

By the way, as people more and more move away from blogs and on to Twitter, I’ve seen a post or two from people suggesting that blogs are a thing of the past. Well, I disagree. I feel they are useful tool. I use my blog mostly as a tech log. Things I like to remember, things I once fixed. The world out there could care less about it, but that’s not the point. It’s for me. I refer back to it, and it’s easy to get online while I am at a client and can’t remember how I solved a problem. Also, the little tidbits I post are found by Google searchers. So, if I find a solution and it helps just one person out there. Right on! Tweets are too short for that. So I like my blog, and I’ll keep using it alongside my Tweets and BookHole. (there’s got to be a better name than that! ??? )

This drove me nuts!  Why Microsoft had to take something totally simple in Windows 2000 and make it a complicated thing is NOT beyond me!  This is MS we’re talking about!  Of course it’s not easy with newer versions.

Took me a little bit, but here’s the commands I used on our primary domain controller, and it’s working great. that first w32tm command is all one line.

w32tm /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org pool.ntp.org”,0×8 /syncfromflags:MANUAL /reliable:yes

w32tm /config /update

net stop w32time

net start w32time

w32tm /resync /rediscover

That should do it. However, always make sure you firewall is open to port 123 outbound!  I initially was receiving this error after running a “w32tm /resync” :

The computer did not resync because no time data was available.

In my case, that was caused by my firewall blocking port 123 for NTP traffic.  Go figure, we’ve been running this particular network for probably 2 years with that firewall blocking port 123, and only now did someone come and ask “why is our computer time off by 6 or  7 minutes?”  This is when you say, “Welcome to the world, can I help you?”  (Good old Beavis)  Well, at least we got our server configured better as a “reliable” time source with the right ntp.org pools.

In Exchange 2007, you have a nice little GUI to set your FQDN on your Send Connector. (Mine is called Outbound, as shown below.)

You can see my FQDN, set under the Hub Transport/Send Connectors of the Exchange Management Console.

However, if you send mail out to an external address, you’ll notice in the headers that your internal server name is still listed! What!? What’s the point of the GUI?

You have top open Exchange Management Shell, and type in a command to solve this. It’s easy.

As shown above, you just type in the command:

set-sendconnector “Outbound” –fqdn mail.1stbyte.com

Replace “outbound” with the name of your send connector, and of course, change to your own FQDN, not mine.

It will come back in error, or success. If success, you can check your headers on and external account right away.

Have fun!

Well for the larger businesses out there, this may not be a useful tip. But for those of us that support small networks, like less than 50 or even 10 systems, utilizing shares on workstations is sometimes needed. For example, I have servers in most all of my networks, and their hard drives are fairly large, but I don’t want to save all my downloads and application CD’s on the server. With newer workstations loaded with larger drives than servers sometimes, I’d rather make use of that space there. Not with the main, business critical data, but only things that are not needed for backups or maybe read only archives. These 500+ GB drives give us a ton of space, and when you only have less than 10 people accessing this data periodically, this makes perfect sense. Constant read/write access with lots of users would require the server, rarely accessed stuff goes on a workstation.

Here’s the problem I ran into though. I like to use DFS and create a single shared, mapped drive for all the users. In there I might have a couple shares pointing to workstations. On XP SP2, this works fine, EXCEPT if you are accessing the DFS link from the system where the share resides. You will get an Access Denied error, even with all the correct permissions.

Here’s a registry fix that will overcome the issue.
(Remember, use the registry at your own risk. Back it up if you must. Heck, backup your whole system!)

Open this key on the XP system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters

Add a DWORD value:

EnableDfsLoopbackTargets

Change its value to 1.

Reboot the system.

Your share should now be working from DFS mapped drive from the local system. (the local system where the share is located.)