Sc@-tt3r-ed Thoughts

Thank you for visiting Sc@-tt3r-ed Thoughts blog. I hope that you find this place both enjoyable, and educational.

A few days ago,  I posted an article about creating a hidden share on a Mac server. Well, apparently, with Apple, from version 10.5.8 to version 10.6.x, the way things work actually changed. What a shocker! ok.. sarcasm aside.. Here’s what happened.

In OS 10.5.8, there used to be a file in /var/samba/shares, that can be renamed with a “$” sign in the end, to make an existing share hidden.

In OS 10.6.2 and above, that “shares” directory just disappeared, and therefore my idea about creating hidden shares with this method became obsolete.

So, I went back out there googling for a solution. Unfortunately, not at a single forum I went, did I find any one dealing with this issue. (strange?), so I started digging in Samba documents in order to see if I can somehow have a workaround in the Samba configuration to allow the hidden shares to show up.

Here’s what I found:

Samba, in Snow Leopard, keeps its configuration in /var/db/samba. The file is that is of interest, is the /var/db/samba/smb.shares. In Traditional configurations of Samba, these shares get their configs from smb.conf, however, in this situation, smb.shares is the file needed.

So, let’s put down the scenario I was in and how I resolved it:

The Snow Leopard server was the SMB server for home folders, for both Mac workstations, as well as Windows workstations. The home folders for the Mac was at the following path: /Volumes/StudentData/User/Students

The SMB share from within the OS X GUI was pointing exactly at that path, and was shared as a non-hidden share called: Students. When creating the Mac home folders, this is the path that gets looked at, and gets the users’ home folder. Thats a no brainer. However, when Windows workstations need to map the home directory, they need a different path, mostly because my Windows infrastructure is standardized to the format of: \\servername\user$\students.

From the GUI, as far as I know, it’s impossible to create a separate share point to the same physical path. However, in SMB it’s possible. Unfortunately, this was not the only challenge, because, even if it was possible to create multiple share points within the GUI, there is no way to make it a hidden share.

So the idea is to create a config file in SMB that will do what we need.

Caution: The file we’re going to change is going to have a warning on top that says: # This file is automatically generated, DO NOT EDIT!  . This is nothing to worry about it in this case, as long as you are aware that this statement is actually TRUE! meaning, if you go back to the GUI, and modify any of the shares, this file is going to revert to its default, overwriting any changes you made outside of the GUI. So consider yourself warned, and make sure that you keep your changes somewhere that you can restore after you make modifications to GUI share points. 

Edit the file: /var/db/samba/smb.shares

For the configuration above, the file would look something like this:

#
# Configuration options for smbd(8), nmbd(8) and winbindd(8).
#
# This file is automatically generated, DO NOT EDIT!
#
[Students]
comment = Students
path = /Volumes/StudentData/User$/Students

available = yes
guest ok = yes
inherit permissions = yes
create mask = 0644
directory mask = 0755
oplocks = yes
strict locking = 1
read only = no
Browseable = yes
[global]

In order to add the hidden share to be accessible via \\servername\user$
we’ll add the following section, before the [global] section.

[User$]
comment = Users
path = /Volumes/StudentData/User$
available = yes
guest ok = yes
inherit permissions = yes
create mask = 0644
directory mask = 0755
oplocks = yes
strict locking = 1
read only = no
Browseable = no

[global]

What we have effectively done in this case, is create a share that is non-browseable for Samba (by setting the “Browseable = no” argument.), and naming the share User$, which is what Windows refers to hidden shares as. By combining the way both OS’s understand hidden shares, we have satisfied all the requirements needed or both Mac home folders, as well as PC shares, that no longer have to comply with the exact nomenclature that OS X pins us down to. (Take that Apple!!)
Make sure to restart SMB on the OS X server anytime you make change.

This post is a note to self, as well as a note to any geek out there who has the misfortune of dealing with moving Active Directory accounts across domains.

So, as you may know, I use User Management Resource Administrator (UMRA) to manage my 34,000 students. Some of the challenges I have were more or less self-inflicted, pre-Windows 2008, and the ability to do granular control of password complexity rules. That is for another topic though. I have to allow my script to move accounts from one domain (DOMAIN1), for elementary students, to the second domain (DOMAIN2) for the secondary students.

If you know about Active Directory, and Security Groups, you will quickly realize that the scope of the security groups in which the AD object resides, and/or any attributes that don’t comply with the second domain will stop the process from migrating that object from one domain to the other.

As of last year, I had 2 main domain controllers holding the FSMO roles without any particular distribution of roles, so my process would work fine. This year, as I’m running the scripts to import the students, every single account that needed a cross-domain migration failed, with the ugly error:

Error 0×80072035 (8245) moving AD object. Error moving-renaming object. The server is unwilling to process the request. (-2147016651)

Yup, that’s ugly, but fortunately, as I explained above is caused by incompatible attributes between the two domains, and therefore fairly easy to fix.

Of course, since my scripts haven’t changed at their core from last year to this year, I didn’t know what was going on.

After additional research, here’s what I found out:

Moving an Active Directory object from one domain controller to another requires that the server to which the object is bound for the move operation hold the RID Master role. Well of course, this summer, when I added additional domain controllers to the child domain, I didn’t think of that one line in the 3000 line script. Well, it broke stuff!

Sure enough, after changing the object binding from a non RID Master domain controller, to the RID Master domain controller, everything was peachy again.

What we take out of this: When moving Active Directory objects from one domain to the other, within the same forest, the operation needs to be bound to the domain controller holding the RID Master role.

I was trying to apply some Windows updates on Windows XP SP3, and I kept getting the “Checking for the latest updates on your computer”, but never past it. This seems to be due to a problem related to incomplete previous downloads, or some corrupted Windows Updates files.

If you are having this problem, here is how you resolve the problem:

1. Open a command prompt (Start / Run … /  (type) cmd and press enter
2. Type: proxycfg -d (this will setup the proxy back to direct connection to the internet
3. Stop the Windows Update Service. (from a command prompt, type) :  net stop wuauserv
4. Now open C:\Windows\SoftwareDistribution and delete all of its contents
5. Start the Windows Update Service. (from a command prompt, type) : net start wuauserv

Voilà! now you can go back to the Windows Updates, and it should work like a charm.

VMWare View 4, though great when it’s working, is a real pain when it’s not working or something is broken. I am constantly learning new things with it, and sometimes have to take riskier steps than others, especially that VMware support is less than useful most of the times.

Today’s issue is related to creating a pool of machines, where one of the machine exists in vCenter, and in the Composer DB, but for some reason, it does not get listed within the pool. At this point, the pool trying to create that VMs conflicts with the actual VM that exists in vCenter, as well as the database entries that exist in the ComposerDB.

Disclaimer: the following steps involve messing with the VMWare Composer database. I take no responsibility if you end up messing your Composer DB. BACKUP, and proceed at your own risk!

Now that the disclaimer is out of the way. Let’s look at the steps to bring your pool back to life.

1. Delete the VM from the datastore, or from within vCenter, “Delete from Disk”
2. Go to the Active Directory OU where your pool workstations exist, and delete the computer object from there
3. Open up the Composer DB database with SQL Management Studio, and you need to delete some entries related to that VM:
   - SVI_VM_NAME where NAME is the deployed VM name
   - SVI_VM_COMPUTER_NAME where NAME is the deployed VM name
   - SVI_SIM_CLONE where VM_NAME is the deployed VM name.
   Before you perform this last query, there are 3 other rows to delete, as they have constraints on them:
   - SVI_SC_BASE_DISK_KEYS where PARENT_ID is the ID from SVI_SIM_CLONE
   - SVI_TASK_STATE where SIM_CLONE_ID is the ID from SVI_SIM_CLONE
   - SVI_SC_PDISK_INFO where PARENT_ID is the ID from SVI_SIM_CLONE

After you perform the above steps, check out your provisioning, or re-enable it if it had been disabled due to the error, and things should continue along without a problem.

Since I spent 45 minutes trying to figure out this problem, I figured, it’s worth posting it for others to benefit from. To start, I’m not really sure if this problem is a new addition to the new 3.0.1 version of WordPress, but it is worth considering that variable, since I started dealing with this problem as soon as I upgraded to 3.0.1 this morning.

The issue is that every time that I went to the plugins.php page, I would receive the following error:

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 491520 bytes) in /home1/foreignk/public_html/blog/wp-admin/menu.php on line 235

The first thing that came to mind to check on this was the php.ini memory_limit directive, which was set to 32M . changing it to 64Mb didn’t help. At this point, I wasn’t sure what was going on, so I started looking in the WordPress code to see if the value are hard coded somewhere, in reading the forums, some people suggested to add: define(‘WP_MEMORY_LIMIT’,’64M’); to the wp-config.php file.  that also did not help.

During this time, phpinfo.php was actually showing the memory_limit to be set as I set it in php.ini, which was even more baffling.

The solution finally was found in the the file: /wp-includes/default-constants.php

In that, there is a section commented //set memory limits (see code below)

I just change the values to 128M and 64M respectively. After this changed, my plugins.php loaded again, and was  no longer getting the memory error.

Hope this helps somebody out there.

One of the projects I’m working on, is actually laughable, because that situation should’ve never happened in the first place, but I can’t take responsibility for that, since I inherited it. I have 3000 users in Active Directory that have a username including a space in it. That’s right, John Doe’s username is actually domain\john doe. If you ever write any scripts, or do anything related to accounts, you will immediately realize that it is a nightmare to maintain user accounts with spaces; for the most part, because it is industry standard to create user accounts without spaces.

So, that is my challenge. My project involves taking every user account in Active Directory, and change the John Doe into a jdoe. Sounds simple at first glance, but when there are tons of John Does, and James Doe, there is a bit of a complexity introduced in creating a username algorithm, not to mention notifying the users of this change, and maintaining these changes in a databases. I won’t get into that piece in this article. I’ll save it for another post.

The main purpose for this though, is the result of my research to successfully rename a user account full, all the way from Active Directory to the user’s profile name on their workstation.

The challenge with profile names and AD accounts, is that a lot of scripts running on user’s workstations call the “%USERNAME%” or the “%HOMEPATH%” environment variable, and in general, scripting usually refers to the %USERNAME% variable, which will end up not matching the actual home path of the user in case of an account name change.

Changing an account name in Active Directory, will only change the actual name, but does not change the SID of the account.

Let’s look at a quick example:

If we rename username: john doe in active directory to jdoe, the profile name on the user workstation is still c:\documents and settings\john doe. When the user logs in with the new username, the profile c:\documents and settings\john doe  will in fact load, and the user will not see a difference, but there is now a discrepancy in the username and the user home path.

If we just rename the folder from c:\documents and settings\john doe to c:\documents and settings\jdoe, you would think the problem will get resolved. However, in reality it won’t, the reason being that the account is connected to a Sid, and looking at specific profile image path which, according to the reference to the profile pointing to the old folder, no longer exists. Windows’ mechanism at this point creates a new profile for the user and names it: jdoe.domain, in which non of that user’s data / settings exists. That is because windows believes that the original profile with the data had been deleted.

So, what’s the fix for this? Actually, it’s very simple, there’s a registry change that needs to be made in addition to the user profile name change that will take care of this problem. The key to this is knowing the Sid that corresponds to a particular user. For this, using the getsid.exe utility from the Windows 2003 Support tools will help get that information.

Once the Sid is found, then open your registry, and navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\ProfileList\<Sid>\ProfileImagePath

Note that the name of the folder needs to be changed while not logged in to it the following error will pop up:

Documents and Settings is a Windows system folder and is required for Windows to run properly. It cannot be moved or renamed

The value of ProfileImagePath needs to be changed to the new username, after the actual folder name has been changed as well. Once this is done, log off the session, and log back on, and note that all the names are now synced, and things are back to normal.

For additional details on this issue, or some variants for it, you can check out Microsoft’s  kb314843.

As I usually do occasionally on my phone, I went to the App Store to check for updates. Since the release of iOS 4, one of the main reasons I repeatedly checked for updates was due to the Skype application.
There was  an application for the iPhone called Fring. and in and of itself, is a great app. For a little while, they even supported the Skype protocol, which was exciting. Not too long after its release though, Skype and Fring got into some legal battle, and since then, Fring removed its support for Skype.

Well this morning, my day was made! Skype finally released its iPhone update, which makes Skype iOS 4 compatible. More specifically, allows Skype to be run in the background. I had always wondered what this would mean, for Skype running on the iPhone, when both my cell number AND Skype number are connected to my Google Voice number, the latter of which is the one that I give out to people.

So I decided to do a quick test:

First I opened up Skype and put it in the background, then I called myself on my SkypeOut number. A push notification popped up on my phone with the Skype ringtone, and I was able to pick up the Skype phone call. FTW! I pretty much expected this test to work ok.

The real test, however, was the case where I would receive a phone call on the Google Voice number. I was wondering how my phone would handle this. Well, it was surprisingly good. When I dialed my Google Voice number, my phone’s ringtone actually sounded, the Skype ringtone did not, however, the push notification still popped up for the Skype call, while the cell number was ringing. Granted, the push notification goes behind the dialer window, so I had to reject the cell call, and then click on “Answer” on the Skype notification. At this time, the Skype app was foregrounded, and the Google Voice greeting sounded.

in a couple of instances, when dialing the GV number, the Skype push notification didn’t actually show up, and that may be due to the order in which Google Voice dials, or rather, establishes a connection to my devices. Not really a big deal, and I’m not even sure that there is a way to really make this problem completely disappear. After all, the way I’m using my cell number and the skype number under a Google Voice number is probably not a very common way people will use these services, but in my mind, if the more complex setups work, then, the simpler ones will definitely work.

Powershell is quite a powerful scripting language that has been around for a while. It has simplified the administration of servers and applications quite a bit, and in and of itself is actually simpler to manipulate than regular scripting languages. (i.e: shell scripting, perl, VB). Moreover, these other languages require a script that would be 100 lines long to do the job of a 1 liner in Powershell.

Because of the complexity of scripts, and the high level of knowledge required to write something as simple as returning a quick report about some servers, combined with quite a number of administrators who are not very well versed with scripting, the need for something like PowerGUI is huge.

What is PowerGUI, you ask. well, in a nutshell, it’s a Powershell scripting tool that allows the importing of “Powerpacks” to it, that other people have already written. In addition, it’s also a great tool to write Powershell scripts in, it has syntax highlighting, and suggestion with the an explanation of the functions, as well as their usage. For existing VB scripters, it has a built in VBScript converter to Powershell. You chose the function that you would otherwise use in VBScript , and PowerGUI will automatically convert that into Powershell syntax: Extremely convenient!

The Powerpacks are the heart of PowerGUI. There are quite a few of them. The most prominent are ones for VMWare management, Hyper-V management,  Exchange 2003, 2007 and 2010 management. The latter is extremely convenient, especially for Exchange 2007 and 2010, as those products rely almost solely on Powershell to manage. Some administrators simply don’t have this skill, and most would simply prefer to use a pre-packaged GUI interface, instead of re-inventing the wheel.

This free utility is quite a power-house, and a must for any administrator. There is a PRO version of the same utility, which allows for web-based Powershell scripting, and is sold by Quest. For most, the free utility will more than suffice.

A few days ago, I noticed that some of my servers have become really slow. The login process would take close to 5 or  6 minutes just to load user settings, and then navigating through Windows Explorer was agonizingly slow.

I couldn’t figure out what was going on. Since it was happening on multiple servers, and they were production servers, my choices were simple: fix the problem. Rebuilding was out of the question.

In order to troubleshoot this problem, I had to find a way to figure out how to see what is going on behind the scenes. There are some utilities like procmon that would help with the issue, however, even those tools make it a bit hard to decipher what’s happening in the background.

The best tweak that I found for this kind of problem, is to enable the User Environment Logging. This is built in Windows logging, that essentially logs any event that is related to the user environment. so, I enabled that. Here’s how I did it:

1. Click Start
2. Click Run
3. Type: regedit
4. Click OK
5. Open or browser down to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
6. Right click in the right hand pane
7. Select New > DWORD value
8. Set the DWORD name to UserEnvDebugLevel
9. Double-click the UserEnvDebugLevel value, set the data to: 0×00030002

After you add this value, Windows will create the following file:

C:\Windows\Debug\UserMode\userenv.log

Now,  by logging out and back into Windows, a whole bunch of great information got logged into the userenv.log file.

In my case, the login was being slowed down quite a bit on the userinit.exe, and the explorer.exe. Of course, that didn’t really help me that much unfortunately, at least not  by directly looking at that log, but, I knew that I had realtime scanning turned on on my Anti-Virus, so, I tried turning that off, and Bingo! the speed got restored back to normal. So now I have to figure out what I need to tweak in A/V to now allow explorer to be hung up like this.

One word of caution: since userenv.log logs pretty much every action on the computer related to files, it can become quite big. So, be sure to turn if off , by deleting that registry entry in step #5, or you will be dealing with a full hard drive in a couple of days.

A couple of days ago, I was dealing with the issue of trying to have home directories residing on Mac servers where the users would connect to these home directories which are auto created from their Mac workstations, but also, need these same home directories to be available for mapping via login script to the Windows clients.

The problem that I was faced with, which also matches my philosophy about security, was that everywhere else where I had created shares, I had them setup as hidden shares. Something makes me uneasy knowing that users would be able to just browse all shares (Even though they can’t really access them) if the shares are not hidden.

So, in all my Windows environments, where user data is on Windows shares, the path looks something like this:

D:\User\Students\%USERNAME% with a share point physically pointing to D:\User, and named user$, so the path to the user’s home directory from a UNC perspective would look like this:

\\servername\user$\students\%USERNAME%

Can you guess where the problem is on a Mac, trying to create the same type of share?

\\servername\user$\students\%USERNAME%

From my research, it doesn’t seem like it’s even possible to create a hidden share from Mac OS X Server, at least not natively. I have tried everything, from changing the name of the share to have a “$” sign in it, to changing the share name in the SMB protocol options. Non worked, or returned the expected result.

The solution ended up being a hack, it’s not permanent, as it will revert back to non hidden state if any changes are made to that share point, but, realistically speaking, once a share is created, it’s permanently there, or at least long term.

To make a share hidden on a Mac, so that Windows can access it, create the Mac share , and enable the SMB protocol, and specify the name of the share. To be consistent with the above example, we’ll name the sharepoint: “user”

Once the share is created, and all the ACLs are set, open up Terminal, and su – to root

then: cd /var/samba/shares

The share we just created above will show up in that directory, just rename that to user$:

mv user user$

Now, try to access the share like you would from Windows: \\servername\user$\students\%USERNAME%

You will notice that you are now able to do so without any problems.

Of course, this article is only explaining how to create a share, and not how to properly configure Samba. There is additional details that you need to be aware of when configuring Samba, mostly related to user authentication, especially, if the Macs are not authenticating to a common directory.  This article can give a bit of an insight on how that works: http://www.samba.org/samba/docs/using_samba/appf.html