Coredump

I have immersed myself today in docs about BGP, which is what we need to implement multihoming on our network. A few notes: We need an AS number. We'll probably have to get this from Preginet. We need a routable IP address block, or two same-sized address block from AFRDIS and Preginet. I need a router simulator to test my network design, and not frag things up. I need a book on BGP. The docs available on the net are just too overwhelming, and I wouldn't know where to start. I'd probably have to consult with Preginet, and beyond that, with PLDT Datanet people.

Six days into the network reconfig, still no go with the AD-Win98 authentication timeouts. I've also began to look at other authentication schemes that lock Windows to the desktop only, not on the server side. One promising scheme is pGINA, or Pluggable Graphical Identification and Authentication, an add-on for the standard MS GINA DLL. GINA is part of winlogon.exe , and is loaded at the early part of the boot process. The plan is to have pGINA as the authentication front-end for LDAP, from which users can authenticate for services such as network logins, web access, and webmail. Another cool toy is NetReg, which requires users to register their hardware (NIC MAC addresses) before gaining full network access in a DHCP-enabled environment. Again, LDAP will be used to authenticate valid users. I'm hoping to work this out using my VMWare environment, once I get Slackware to work here. Nice prospects ahead. I've also installed TightVNC on the DC so that the sysads can get to it...

Last Friday, the Boss asked me to disable TACACS+ on Maui so authentication will just be on the 2500. I was a bit nervous because I wasn't really that comfortable with IOS just yet, and I'd hate to mess around with the router configs with only a very basic understanding of how it works. But there's always a first time for everything, so off I went. I just appended " no " to all lines that I wanted to disable in the config, crossed my fingers, did a Ctrl-Z and " write ". Phew! Easy does it. I've also managed to get the Perl CGI script for proxy user management on Jabber to work. Thank goodness for open source, I was actually able to tweak the code and study it a bit further. Here's my plan: I'm going to study Perl, and what better way to start off than having a project. And I do have one: that of Orso's admuser.cgi . Nothing much to change there, but my plan is to make it work across multiple servers, and include a few nifty features like...

I'm beginning to suspect the problem lies with the W2K3 ADS. We're still getting intermittent authentication failures from W98 hosts, and we can't change passwords even from WXP clients. I'm too lazy to sniff out the packets going to and from ligaya , and besides, I wouldn't know where to look if it bites me in the nose. I've tried searching the AD through ldapsearch . Anonymous ldapsearch can query the directory, but when it comes to authenticated queries, it's a no go. Google has lots of links for me, and I've exhausted each one. I'm itching to post in some mailing lists, but I'm still restraining myself until I can get *at least* a fix on what's really happening. Besides, it could be a W2K3 issue, and from what I have read in the local MS forums, I doubt if they are any help. So back to dipping my nose on the docs. Also: I wonder why using the automatic proxy configuration script works for Mozilla and Firefox (a derivative of Mozilla), an...

Network reconfig, day one I'm starting to really, really hate Microsoft. I mean, I didn't use to, because I'm one of those who have to live in an MS environment. But now that we're starting to have problems using Active Directory service and Windows networking, I'm getting this itchy feeling to bash Gates. We're currently on an W2K3 AD environment. Joining WXP is a breeze; it was just a matter of changing a few parameters in the hosts. W98 is another matter. We've been experiencing inconsistent success and failure joining W98 hosts to the AD domain. One moment, the user can authenticate, he/she'd be blocked the next. I'm beginning to suspect that this is a feature, not a bug, in W2K3, since W98 is not really meant for networking, after all. Oh, well. These are just some of the things one has to contend with when one uses -- or is it the other way around: one is being used by -- Windows. No, this isn't MS-bashing time, just the plain truth about ...

Took us the whole day figuring how to setup the dial-in lines using TACACS+ and AAA on a Cisco 2500 series router and Maui. It was doubly hard because although there was an existing config on the router, I only had very basic IOS knowledge. Thank goodness for Google, but even then I had to RTFM every once in a while to check up on what we're doing. Setting up Maui for TACACS+ was a breeze, though, since there was an existing tacacs database in MySQL. It was only a matter of building version 9, and tweaking the settings to match that of the AAA router. Actually connecting through the dial-up modem was another matter altogether, though. We still can't figure out why it would connect one moment, not connect at all the next, and when it does connect, it's extremely slllooooowwww (around 9 - 11 kbps). Probably a noisy line? Or a misconfig on the router? Perhaps. We'll see.

I've finally installed Jabber and Squid in the staging server, Jabber . Squid is already running, and has been in use since yesterday. Jabber can peer with Maui, if given the routing permissions on the firewall. But my automatic proxy configuration script can already be used. (Tried it on Firefox in my workstation, but haven't tried it out on IE yet.) I've managed to build Jabberd 2 from source. I had a few hiccups building MySQL . While I already have MySQL 3.x on the server installed through rpm and yum , turned out Jabberd 2 needs *at least* version 4. Jabberd is configured for localhost -- can't make it access the LAN just yet; problems with port assignment, I think, but I'll get there.

It's probably just me, but I have this quirk of making my web pages validate. When it comes to Blogger, it does, in a way. Before the cool Blogger bar (see above), they had that butt-ugly table banner. Well now, the table layout is okay, I guess, but whenever I try to validate my blog, that darn thing spoils everything. I even emailed Blogger support about this, but they replied that since it doesn't break any functionality in Blogger, it's their least of their priorities. Oh well. I'd like to think that the top bar was their reply to my complaint. Right, dream on. And now that I've got two other ways to blog (Email-to-Blogger and BloGTK), my formatting problems have gone worse. For the email functionality, my MUA (Thunderbird) breaks up text into whatever column width I specified. That means Blogger treats each line break as a prompt to insert <br /> tags. And, consequently, it looks just plain ugly when rendered on the web. Same thing with BloGTK. It doesn...

Apparently, it can't be done, because, as pointed out in one mailing list thread I read: Active Directory != OpenLDAP. The best I could do is try out "synchronization" between the two servers. Maybe set up a master server (probably the Win2K3 box) from which to sync the directory schema. More work! Well, at least, it's interesting. Once I get this done, I can move on to my (and every sysad's) Holy Grail: single sign-on. Pipedream...

I got Squid load balancing to work. All I did was tweak squid.conf on both web cache servers to make them peer siblings. Then I cranked up a automatic proxy configuration script based on hints from the Netscape site . What it basically does is compute the hashes based on the URL string of the site to be visited. The script then chooses between the two proxies from which to connect. For direct connections, i.e. for local servers and servers on the DMZ, connections are to be made directly. The http_direct directive in Squid doesn't seem to work for my setup, though. Trivial Boolean logic, I guess. Will have to look into that. Finally, I got the proxies to work. Now on to LDAP authentication. And, oh, I'm also currently installing Jabberd 2. Turns out the staging server doesn't have gcc installed so I had to install them first. (Thank goodness for yum . That Yellow Dog is cool.)

Found a new toy: BloGTK! . (Don't mind the "!"; it's all part of their style in there yonder site. "Downloads!" "Screenshots!" "FAQS!") It's a weblog updating client based on Linux and done using Python and PyGTK. It allows the posting and updating of blog posts in Blogger, Movable Type, and pMachine, among others. And the best part is: it's open source . So no more need to open up a new browser tab (or window, if you're a sadistic person still mucking with IE -- hehe, can't help it, sorry) to create and/or edit blogs. Just fire up BloGTK and off you go. By the way, for Blogger, the server URL is http://www.blogger.com/api/RPC2 . Having BloGTK is not a sure-fire way of getting chicks (or studs, whatever your inclination), but it's one damn fine efficient, eherm, productivity tool. (For me, at least, since I use weblogs now to post updates on my workload.)

Okay, here I am on the roadmap so far: Added DNS A record for jabber.philrice.gov.ph . Set eth0 to 203.xxx.xxx.xxx/28 at the DMZ. Set eth1 to 192.xxx.xxx.xxx/23 at the LAN side. Set eth1:1 to 192.xxx.xxx.xxx/23 at LAN subnet 1. Set eth1:1 to 192.xxx.xxx.xxx/23 at LAN subnet 2. After I'm through updating jabber , I'll be doing the following: Configure squid . Configure Squid LDAP authentication. Try Active Directory LDAP schema replication. How will I do this? I don't know just yet. Still rummaging through the docs.

The NIC, eth0 , was the culprit. I kept getting intermittent network connection failures on that interface, and I thought it was due to misconfigured drivers. I even reconfigured the NICs, and had them take on DHCP addresses from the DHCP server. That was when eth0 started barfing. So now I placed eth1 on the DMZ, and got it to connect to the other public servers and to the internet. It's currently downloading headers through yum . Hopefully, I can get *at least* LDAP running on it by the end of the day. If I can ssh to it tonight, maybe I'll try installing Jabber on it, too. That's the easy part. I have yet to figure out how to replicate Active Directory for LDAP authentication of network services.

Blogger has a nifty feature: Mail-to-Blogger. I'm trying it right now, sending a blog post through email. The feature has been around for a while, but I really haven't explored Blogger to the fullest extent (who has, anyway?). It would really be cool if it has a voice-to-blog interface as well. (Hmmm... I read somewhere that's already available. What will they think of next?)

Blogger has a nifty feature: email blogger. I'm trying it right now, sending a blog post through email. Oh, the feature has been around for a while, but I really haven't explored Blogger to the fullest extent (who has, anyway?). It would really be cool if it has a voice-to-blog interface as well. (Hmmm... I read somewhere that's already available. What will they think of next?)

I've recently upgraded to FC2, kernel 2.6.8-1.521. Everything is in order, my box is humming fine. Except for my USB flash disk. I've overcome the problem of mounting USB flash disks, as described in a previous post . It was a trivial /etc/fstab entry, actually, and just a matter of invoking mount . But that was with the 2.4.22 kernel. When I tried to mount my USB flash disk, my box spewed out the error: $ mount /mnt/usb mount: /dev/sda1: can't read superblock Hmmm... Imploring Mr. Google for guidance, I stumbled upon the OSDL Kernel Bug Tracker " Bugzilla Bug 3223 - Superfloppy formatted USB Storage Devices cause scsi errors ". But before applying the patch, I had to make sure that I had the similar problem, so I did a bit of digging on my system. My /var/log/messages had these entries: Sep 12 23:11:16 haus-lnx kernel: usb 2-2.2: new full speed USB device using address 5 Sep 12 23:11:16 haus-lnx kernel: scsi2 : SCSI emulation for USB Mass Storage devices Sep 12...

We recently went on a team-building event at a countryside resort. The goal was to cultivate team spirit in line with plans on converging activities of two divisions in the company, that of Development Communication and Information and Communication Technology. My boss laid out several projects in the pipeline that leverages IT for development, with particular stress on the communications part. Among the projects were single-source publishing (or forking and retooling of content into different media: digital, print, audiovisual); research and development funding sources; and the expected outputs of several IT endeavors in the Open Academy and for PhilRice. The plans got me all excited, of course, but my excitement was dampened a bit by the fact that I'm lagging in my targets. I still haven't found a way to connect Active Directory to LDAP for single sign-on of network services. Multihomed routing is also another headscratcher, although I'm gaining headway in my review on C...

We recently went on a team-building event at a countryside resort. The goal was to cultivate team spirit in line with plans on converging activities of two divisions in the company, that of Development Communication and Information and Communication Technology. My boss laid out several projects in the pipeline that leverages IT for development, with particular stress on the communications part. Among the projects were single-source publishing (or forking and retooling of content into different media: digital, print, audiovisual); research and development funding sources; and the expected outputs of several IT endeavors in the Open Academy and for PhilRice. The plans got me all excited, of course, but my excitement was dampened a bit by the fact that I'm lagging in my targets. I still haven't found a way to connect Active Directory to LDAP for single sign-on of network services. Multihomed routing is also another headscratcher, although I'm gaining headway in my review on C...

Got a new vocation: that of plying open source software at the workplace. This is my personal contribution to the open source movement. Apart from using open source, I want to "push" others into using it. In my former workplace, I made it a network policy before I left that all workstations connected to the net use Firefox and Thunderbird for web and email, respectively. There was resistance, of course, but eventually, some of them saw the light, so to speak. With the current rash of holes in IE, they had no choice but look for alternatives. Now, here in my new work, I've surreptiously placed Firefox in selected workstations. They wouldn't know the difference, really, because for them, it's all the same: so long as they can access the internet, even if it was a damned monkey hanging by its tail doing the connection for them, they'll grab it. For now, Firefox will do. Later, I'll be putting in OpenOffice.org. Can't wait. (So the allusion in the title di...