Yosemite Server SMB and Windows

A few people have hit me up about issues getting Windows machines to play nice with the SMB built into Yosemite Server and Windows. Basically, the authentication dialog keeps coming up even when a Mac can connect. So there are two potential issues that you might run into here. The first is that the authentication method is not supported. Here, you want to enable only the one(s) required. NTLMv2 should be enabled by default, so try ntlm: sudo serveradmin settings smb:ntlm auth = "yes" If that doesn’t work (older and by older I mean old as hell versions of Windows), try Lanman: sudo serveradmin settings smb:lanman auth = “yes" The second is that the authentication string (can be seen in wireshark) doesn’t include the workgroup/domain. To resolve this, simply include the Server name or workgroup in the beginning of the username followed by a backslash(\). So you might do this as a username if your NetBios name were kryptedserver: kryptedserver\charles To get that exact name, use serveradmin again, to look at the smb:NetBIOSName attribute: smb:NetBIOSName = "kryptedserver"

Need A Password? There’s An App For That!

Remember this comic: Regrettably, password policies don’t allow for a few random words at most organization, so a special character, a capital letter and a number are basically required in most passwords these days. However, if you need a quick and dirty generator that includes a phrase and those additional characters, consider MyPhrase from Björn Albers. It’s simple to use, fast and easy. Good luck out there! iPhone_6_Vert_SpaceGray_sRGB_0914

Fix Table Corruption In MySQL

Corruption happens. Sometimes, it’s little things that cause problems. With MySQL, the mysql command line tool has long held the answer for easy corruption issues. There are a number of tools to repair corruption, but the place to start is the REPAIR command within that trusty mysql command line tool. To start, let’s try a backup. In this case, I’m going to use a tool those of us who deal with Media Assets frequently tinker with, CatDV. I’m going to backup the databases with a simple mysqldump command, defining the user and then piping the data out to some backup file, which in this case is catdvbak on the desktop: mysqldump -u catdvadmin -pcatdv catdv > ~/Desktop/catdvbak If this fails due to corruption then I personally like to stop my databases and back it up flat before I make any changes to it, which a repair command will of course do. Then, we’ll need to tap into mysql: mysql -P 1099 -p Then, we will be in an interactive mysql environment. Let’s just say the auditLog in the catdv database is corrupt. First, select the database: use catdv; Then, repair that table: REPAIR TABLE auditLog; Note: You’ll need to quote things if the name of your table isn’t quite so simple and has special characters. Then try and re-run your backup if it didn’t complete and you should be good to go! If the repair doesn’t go swimmingly, check out myisamchk for more detailed options.

Installing phpLDAPadmin

phpLDAPadmin is a tool that can be used to walk LDAP trees and view attributes of objects located within them using a web browser. This isn’t to say that it’s the prettiest tool out there but it works really well and is portable between various flavors of LDAP. Before you can use phpLDAPadmin you will need Apache. In Ubuntu, Apache can be installed using apt-get:
apt-get install apache2
Once you have Apache installed, downloading phpLDAPadmin and installing it in Ubuntu Server 10 couldn’t be easier, just apt-get the package:
apt-get install phpldapadmin
Now you have the pieces, let’s copy phpLDAPadmin into your web root directory:
cp -R /usr/share/phpldapadmin /var/www/myphpldapadmin
In that new directory you will see a config file. Here, you’ll see some lines that appear as follows:
$ldapservers->SetValue($i,’server’,’name’,’My LDAP Server’);  // The name to display $ldapservers->SetValue($i,’server’,’host’,’′);  // Address of the LDAP server $ldapservers->SetValue($i,’server’,’port’,’389′);   // Port number $ldapservers->SetValue($i,’server’,’base’,array(‘dc=example,dc=com’));  // Base dn $ldapservers->SetValue($i,’login’,’string’,’uid=<username>,ou=People,dc=example,dc=com’);
You’ll want to provide the address, port number (if the port isn’t 389) and DN information of your server and then connected by visiting the website created via Apache (if the server name were ldapserver.local, this might be http://ldapserver.local/phpLDAPadmin). Provide the username and password and you should be able to use phpLDAPadmin. Happy LDAP’ing!

Managing Active Directory from iPhone

AD HelpDesk is a tool that can be used to manage certain aspects of Active Directory user accounts. Using AD HelpDesk, you can configure an iOS based device to connect to Active Directory using an administrative account (or an account that has been delegated administrative access). Using the tool, you can then find a user. Using the user pane, you can unlock accounts, reset their passwords, force the resetting of the password on the next authentication event and optionally send a user their new password via SMS (a really cool little feature, IMO). There are a lot of useful ways to fit this tool into your service desk or network administration toolbox. Most notably, if you have field services engineers, they can reset passwords easily without needing to take computers with them to visit end users. Or, provided you have VPN access into your environment, you could also reset a password for the executive that calls the emergency line while you’re at the water park with the kids. Overall, nice niche tool that does exactly what the description on the App store claims! Note: In the interest of full disclosure, the developer essentially supplied me with a free copy of the application; however, as always if I didn’t think it worked well I wouldn’t be posting it either way.

Setting up CHAP on LeftHand w/ CLI

LeftHand Storage uses the cliq command line for configuring their devices. cliq isn’t necessarily interactive and so we end up needing to specify the username, password and IP of the device with each command (although you can setup a key as well if you’re going to be doing automated tasks). One task that I’ve found to be pretty common is to use cliq to enable Chap authentication for volumes. To do so you’ll use the assignVolumeChap verb. Along with the assignVolumeChap verb you will need a number of options, each with an = for the payload of the option and delimited with a space between them. When using the assignVolumeChap verb you will need to supply a volume that you will be enabling authentication on, which is done using the volumeName option. You will also need to assign a password that will be entered on devices in order to connect to the target/volume, done using the targetSecret option. With most commands you will also need to specify the address of the storage node, the administrative user for that storage node and the password for it as well, these done using login, userName and passWord options respectively. You can obtain information about volumes using the getLocalVolumes verb:
cliq getLocalVolumes
To put all of these together, let’s look at an example where the storage node has an IP address of, an administrative user name of admin and an administrative password of ADMINPASSWORD. For this storage node we have a volume that we have created called MYSHAREDVOLUME and want to use a password of PASSWORDFORLUN to access it.
cliq assignVolumeChap volumeName=MYSHAREDVOLUME targetSecret=PASSWORDFORLUN login= userName=admin passWord=ADMINPASSWORD
Some other important verbs we’ve had to use are createCluster, connectVolume, configureRaid, createRemoteSnapshot (which is good to do before making any changes btw) and of course, createVolume (which you would need to do before assigning authentication to the volume). Each item that has a create typically has an associated delete (eg – deleteVolume, deleteRaid, etc) and an associated modify (eg – modifyVolume, modifyRaid, etc), which can be used to remove the added item and edit it (respectively). Overall, there are a lot of verbs that can be used with cliq, making it a somewhat robust scripting interface if you need to automate events. Another verb I find that I use a lot when I’m first setting up a device is the getPerformanceStats verb, which has a single option in interval, the number of milliseconds between sampling the performance statistics.

Accessing MobileMe Public Folders

Public Folders in Mobile Me can be password protected. They can also be set as Read Only, using the iDisk tab of the MobileMe System Preference pane. Here, in a section called Your iDisk Public Folder you will see an option to Allow others to: and you will be able to set this to Read only or Read and Write. If you set it to Read only then while users will be able to see the files you store on your iDisk they will not be able to alter them. If you set it to Read and Write then other users will be able to upload to your Public Folder. But if you check that box for Password-protect your public folder then you might wonder just what username and password combination to use. Well, the password is simple enough, just click on the Set Password button. But the username… Click on the link listed in the Preference pane and you’ll be asked not just for a password but also for a user name. It’s public. Simple enough, but who’d have guessed. Obviously you can also use your actual MobileMe username and password, but most users aren’t going to want to hand that out to others. When you provide others with access then you will tell them to do one of two things. #1, open http://public.me.com/ followed by your username. When they are prompted they’ll enter public for the user name and then the password you set as the password. The other way is from a Mac, click on the Finder, then click on Go, then click on iDisk, then click on Other User’s Public Folder. Here they’ll be prompted for a username and password. That too is the username public followed by the password you entered in the System Preference pane. In order to upload and download files you will have an easier time of it, assuming that the MobileMe System Preference pane already has your username and password stored. All you have to do is click on the Go menu, then click on iDisk and then click on My iDisk. Or, use the keystroke combo of Command-Shift-I. In your iDisk you’ll see a folder called Public, which should mirror what others see in your iDisk.

Getting Started with Amazon's EC2 Cloud

Yesterday I did a quick review of the various cloud offerings from Amazon. Previous to that I had done a review of using S3, the Amazon storage service, with Mac OS X, primarily through the lens of using S3 as a destination for Final Cut Server archives. Today I’m going to go ahead and look at using EC2 from Mac OS X. To get started, first download the EC2 tools from Amazon. Next, log into Amazon Web Services. If you don’t yet have a login you will obviously need to create one to proceed. Additionally, if you don’t yet have a private key you’ll need one of those too – in that case there will be a big green box to create it when you first log in. When the keys are created you can double-click on the x.509 certificate file to install it into Keychain. This key is a private key so make sure not to give it out. You can return to this screen later if you need to. Next, go to the AWS Management Console. Because I don’t personally find the site terribly user friendly I like to keep the Management Console bookmarked. Once you have the Management Console open, click on Instances and then click on Launch Instance. You will then be greeted by a list of prebuilt virtual machines that you can use. Amazon has built Fedora and Windows for you, which will be listed under the QuickStart tab of the Launch Instances screen; however, you can also click on Community AMIs in order to use one that has been built and made available by others within the EC2 community. These include Debian, Ubuntu and CentOS (amongst others). Once you have picked your poison, click on Select and you will then be prompted to create a key pair specifically for the instance. The reason for this is that you might have instances that you’ld like to distribute information for to people you wouldn’t want to access all of your images globally to your account. You can skip this step or enter a name for the keypair and click on Create. Now click on Continue and you’ll be prompted to create a security group. A security group controls the ports that are opened to/from your virtual machine. For Windows you’ll pretty much always want RDC (3389) open (pretty much) and for *nix, typically SSH. Amazon tries to make this easy and so pre-fills the form with common ports based on your use. Think of a security group like an Access Control List on a Cisco. You can resuse them across various instances. Next, click Continue. Next, you’ll be asked to provide a name for the VM (aka AMI), a number of instances of the VM and whether the AMI is to be a smaller, standard item or whether it will be hit with high CPU utilization. You’ll also be able to select the security group to apply to the host based on the previous information. The name will be automatically filled in based on the template you chose to use, so you can actually click on the Change button if you’d like to supply a new name. Next, click Launch and the AMI will start to fire up, becoming an instance. Windows AMIs will take a little longer in my experience than Linux AMIs. While the instance is booting, it is worth mentioning that at this point you’ll notice the option to launch/create volumes and what Amazon calls Elastic IPs. Amazon doesn’t provide an IP for free, as you may have noticed when you accepted their terms of service. Therefore, if you are going to create an instance that will have static access over the WAN using a static IP, you will need to go ahead and assign an elastic IP to it. Unless that is, you can communicate with the instance even if it has a dynamic IP (there are a ton of ways to do this). The volumes option allows you to build storage that is independent of the instance. This can be used to mount on multiple instances (although I haven’t found a way to do so concurrently) or to simply have storage independent of the instance so that you can easily move data. Now click on Instances. Here, you’ll note that your newly created instance is listed. Click on it and then click on More Actions and select Get Password (where OS is the OS you chose to setup). Here, you’ll receive an option to decrypt the password using the Private Key. You can cat the .pem file that was downloaded when you setup the key and copy/paste the entire contents into the field. Once the field has been populated, click on the Decrypt button and you will see the Admin/root password for your new virtual host. Next, click on Connect and you’ll find instructions to connect to your new instance (for Windows it will be a dynamic DNS entry to use RDC with). You can now login. Once you have connected it is as though you are in a typical VM environment. Next, you’ll want to take a look at the options for Bundle Tasks (if you’re using Windows), which allows you to duplicate an AMI into multiple instances. You’ll also want to look at Volumes, as mentioned previously and Snapshots, which can be used to back up the Volumes. Overall, we were able to create a new instance of Fedora, Windows or Ubuntu (even those tuned to be Active Directory domain controllers, LAMP hosts or SQL), faster than if we installed it from scratch and without using any resources outside of Amazon to do so. Later, we’ll look at doing all of this from the command line. And don’t forget to stop your instance so that you don’t get billed for all that time that you’re not using it!