Sc@-tt3r-ed Thoughts

A few days ago,  I posted an article about creating a hidden share on a Mac server. Well, apparently, with Apple, from version 10.5.8 to version 10.6.x, the way things work actually changed. What a shocker! ok.. sarcasm aside.. Here’s what happened.

In OS 10.5.8, there used to be a file in /var/samba/shares, that can be renamed with a “$” sign in the end, to make an existing share hidden.

In OS 10.6.2 and above, that “shares” directory just disappeared, and therefore my idea about creating hidden shares with this method became obsolete.

So, I went back out there googling for a solution. Unfortunately, not at a single forum I went, did I find any one dealing with this issue. (strange?), so I started digging in Samba documents in order to see if I can somehow have a workaround in the Samba configuration to allow the hidden shares to show up.

Here’s what I found:

Samba, in Snow Leopard, keeps its configuration in /var/db/samba. The file is that is of interest, is the /var/db/samba/smb.shares. In Traditional configurations of Samba, these shares get their configs from smb.conf, however, in this situation, smb.shares is the file needed.

So, let’s put down the scenario I was in and how I resolved it:

The Snow Leopard server was the SMB server for home folders, for both Mac workstations, as well as Windows workstations. The home folders for the Mac was at the following path: /Volumes/StudentData/User/Students

The SMB share from within the OS X GUI was pointing exactly at that path, and was shared as a non-hidden share called: Students. When creating the Mac home folders, this is the path that gets looked at, and gets the users’ home folder. Thats a no brainer. However, when Windows workstations need to map the home directory, they need a different path, mostly because my Windows infrastructure is standardized to the format of: \\servername\user$\students.

From the GUI, as far as I know, it’s impossible to create a separate share point to the same physical path. However, in SMB it’s possible. Unfortunately, this was not the only challenge, because, even if it was possible to create multiple share points within the GUI, there is no way to make it a hidden share.

So the idea is to create a config file in SMB that will do what we need.

Caution: The file we’re going to change is going to have a warning on top that says: # This file is automatically generated, DO NOT EDIT!  . This is nothing to worry about it in this case, as long as you are aware that this statement is actually TRUE! meaning, if you go back to the GUI, and modify any of the shares, this file is going to revert to its default, overwriting any changes you made outside of the GUI. So consider yourself warned, and make sure that you keep your changes somewhere that you can restore after you make modifications to GUI share points. 

Edit the file: /var/db/samba/smb.shares

For the configuration above, the file would look something like this:

#
# Configuration options for smbd(8), nmbd(8) and winbindd(8).
#
# This file is automatically generated, DO NOT EDIT!
#
[Students]
comment = Students
path = /Volumes/StudentData/User$/Students

available = yes
guest ok = yes
inherit permissions = yes
create mask = 0644
directory mask = 0755
oplocks = yes
strict locking = 1
read only = no
Browseable = yes
[global]

In order to add the hidden share to be accessible via \\servername\user$
we’ll add the following section, before the [global] section.

[User$]
comment = Users
path = /Volumes/StudentData/User$
available = yes
guest ok = yes
inherit permissions = yes
create mask = 0644
directory mask = 0755
oplocks = yes
strict locking = 1
read only = no
Browseable = no

[global]

What we have effectively done in this case, is create a share that is non-browseable for Samba (by setting the “Browseable = no” argument.), and naming the share User$, which is what Windows refers to hidden shares as. By combining the way both OS’s understand hidden shares, we have satisfied all the requirements needed or both Mac home folders, as well as PC shares, that no longer have to comply with the exact nomenclature that OS X pins us down to. (Take that Apple!!)
Make sure to restart SMB on the OS X server anytime you make change.

I was trying to apply some Windows updates on Windows XP SP3, and I kept getting the “Checking for the latest updates on your computer”, but never past it. This seems to be due to a problem related to incomplete previous downloads, or some corrupted Windows Updates files.

If you are having this problem, here is how you resolve the problem:

1. Open a command prompt (Start / Run … /  (type) cmd and press enter
2. Type: proxycfg -d (this will setup the proxy back to direct connection to the internet
3. Stop the Windows Update Service. (from a command prompt, type) :  net stop wuauserv
4. Now open C:\Windows\SoftwareDistribution and delete all of its contents
5. Start the Windows Update Service. (from a command prompt, type) : net start wuauserv

Voilà! now you can go back to the Windows Updates, and it should work like a charm.

VMWare View 4, though great when it’s working, is a real pain when it’s not working or something is broken. I am constantly learning new things with it, and sometimes have to take riskier steps than others, especially that VMware support is less than useful most of the times.

Today’s issue is related to creating a pool of machines, where one of the machine exists in vCenter, and in the Composer DB, but for some reason, it does not get listed within the pool. At this point, the pool trying to create that VMs conflicts with the actual VM that exists in vCenter, as well as the database entries that exist in the ComposerDB.

Disclaimer: the following steps involve messing with the VMWare Composer database. I take no responsibility if you end up messing your Composer DB. BACKUP, and proceed at your own risk!

Now that the disclaimer is out of the way. Let’s look at the steps to bring your pool back to life.

1. Delete the VM from the datastore, or from within vCenter, “Delete from Disk”
2. Go to the Active Directory OU where your pool workstations exist, and delete the computer object from there
3. Open up the Composer DB database with SQL Management Studio, and you need to delete some entries related to that VM:
   - SVI_VM_NAME where NAME is the deployed VM name
   - SVI_VM_COMPUTER_NAME where NAME is the deployed VM name
   - SVI_SIM_CLONE where VM_NAME is the deployed VM name.
   Before you perform this last query, there are 3 other rows to delete, as they have constraints on them:
   - SVI_SC_BASE_DISK_KEYS where PARENT_ID is the ID from SVI_SIM_CLONE
   - SVI_TASK_STATE where SIM_CLONE_ID is the ID from SVI_SIM_CLONE
   - SVI_SC_PDISK_INFO where PARENT_ID is the ID from SVI_SIM_CLONE

After you perform the above steps, check out your provisioning, or re-enable it if it had been disabled due to the error, and things should continue along without a problem.

Since I spent 45 minutes trying to figure out this problem, I figured, it’s worth posting it for others to benefit from. To start, I’m not really sure if this problem is a new addition to the new 3.0.1 version of WordPress, but it is worth considering that variable, since I started dealing with this problem as soon as I upgraded to 3.0.1 this morning.

The issue is that every time that I went to the plugins.php page, I would receive the following error:

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 491520 bytes) in /home1/foreignk/public_html/blog/wp-admin/menu.php on line 235

The first thing that came to mind to check on this was the php.ini memory_limit directive, which was set to 32M . changing it to 64Mb didn’t help. At this point, I wasn’t sure what was going on, so I started looking in the WordPress code to see if the value are hard coded somewhere, in reading the forums, some people suggested to add: define(‘WP_MEMORY_LIMIT’,’64M’); to the wp-config.php file.  that also did not help.

During this time, phpinfo.php was actually showing the memory_limit to be set as I set it in php.ini, which was even more baffling.

The solution finally was found in the the file: /wp-includes/default-constants.php

In that, there is a section commented //set memory limits (see code below)

I just change the values to 128M and 64M respectively. After this changed, my plugins.php loaded again, and was  no longer getting the memory error.

Hope this helps somebody out there.

One of the projects I’m working on, is actually laughable, because that situation should’ve never happened in the first place, but I can’t take responsibility for that, since I inherited it. I have 3000 users in Active Directory that have a username including a space in it. That’s right, John Doe’s username is actually domain\john doe. If you ever write any scripts, or do anything related to accounts, you will immediately realize that it is a nightmare to maintain user accounts with spaces; for the most part, because it is industry standard to create user accounts without spaces.

So, that is my challenge. My project involves taking every user account in Active Directory, and change the John Doe into a jdoe. Sounds simple at first glance, but when there are tons of John Does, and James Doe, there is a bit of a complexity introduced in creating a username algorithm, not to mention notifying the users of this change, and maintaining these changes in a databases. I won’t get into that piece in this article. I’ll save it for another post.

The main purpose for this though, is the result of my research to successfully rename a user account full, all the way from Active Directory to the user’s profile name on their workstation.

The challenge with profile names and AD accounts, is that a lot of scripts running on user’s workstations call the “%USERNAME%” or the “%HOMEPATH%” environment variable, and in general, scripting usually refers to the %USERNAME% variable, which will end up not matching the actual home path of the user in case of an account name change.

Changing an account name in Active Directory, will only change the actual name, but does not change the SID of the account.

Let’s look at a quick example:

If we rename username: john doe in active directory to jdoe, the profile name on the user workstation is still c:\documents and settings\john doe. When the user logs in with the new username, the profile c:\documents and settings\john doe  will in fact load, and the user will not see a difference, but there is now a discrepancy in the username and the user home path.

If we just rename the folder from c:\documents and settings\john doe to c:\documents and settings\jdoe, you would think the problem will get resolved. However, in reality it won’t, the reason being that the account is connected to a Sid, and looking at specific profile image path which, according to the reference to the profile pointing to the old folder, no longer exists. Windows’ mechanism at this point creates a new profile for the user and names it: jdoe.domain, in which non of that user’s data / settings exists. That is because windows believes that the original profile with the data had been deleted.

So, what’s the fix for this? Actually, it’s very simple, there’s a registry change that needs to be made in addition to the user profile name change that will take care of this problem. The key to this is knowing the Sid that corresponds to a particular user. For this, using the getsid.exe utility from the Windows 2003 Support tools will help get that information.

Once the Sid is found, then open your registry, and navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\ProfileList\<Sid>\ProfileImagePath

Note that the name of the folder needs to be changed while not logged in to it the following error will pop up:

Documents and Settings is a Windows system folder and is required for Windows to run properly. It cannot be moved or renamed

The value of ProfileImagePath needs to be changed to the new username, after the actual folder name has been changed as well. Once this is done, log off the session, and log back on, and note that all the names are now synced, and things are back to normal.

For additional details on this issue, or some variants for it, you can check out Microsoft’s  kb314843.

PowerGUI Splash Screen

Powershell is quite a powerful scripting language that has been around for a while. It has simplified the administration of servers and applications quite a bit, and in and of itself is actually simpler to manipulate than regular scripting languages. (i.e: shell scripting, perl, VB). Moreover, these other languages require a script that would be 100 lines long to do the job of a 1 liner in Powershell.

Because of the complexity of scripts, and the high level of knowledge required to write something as simple as returning a quick report about some servers, combined with quite a number of administrators who are not very well versed with scripting, the need for something like PowerGUI is huge.

What is PowerGUI, you ask. well, in a nutshell, it’s a Powershell scripting tool that allows the importing of “Powerpacks” to it, that other people have already written. In addition, it’s also a great tool to write Powershell scripts in, it has syntax highlighting, and suggestion with the an explanation of the functions, as well as their usage. For existing VB scripters, it has a built in VBScript converter to Powershell. You chose the function that you would otherwise use in VBScript , and PowerGUI will automatically convert that into Powershell syntax: Extremely convenient!

The Powerpacks are the heart of PowerGUI. There are quite a few of them. The most prominent are ones for VMWare management, Hyper-V management,  Exchange 2003, 2007 and 2010 management. The latter is extremely convenient, especially for Exchange 2007 and 2010, as those products rely almost solely on Powershell to manage. Some administrators simply don’t have this skill, and most would simply prefer to use a pre-packaged GUI interface, instead of re-inventing the wheel.

This free utility is quite a power-house, and a must for any administrator. There is a PRO version of the same utility, which allows for web-based Powershell scripting, and is sold by Quest. For most, the free utility will more than suffice.

A few days ago, I noticed that some of my servers have become really slow. The login process would take close to 5 or  6 minutes just to load user settings, and then navigating through Windows Explorer was agonizingly slow.

I couldn’t figure out what was going on. Since it was happening on multiple servers, and they were production servers, my choices were simple: fix the problem. Rebuilding was out of the question.

In order to troubleshoot this problem, I had to find a way to figure out how to see what is going on behind the scenes. There are some utilities like procmon that would help with the issue, however, even those tools make it a bit hard to decipher what’s happening in the background.

The best tweak that I found for this kind of problem, is to enable the User Environment Logging. This is built in Windows logging, that essentially logs any event that is related to the user environment. so, I enabled that. Here’s how I did it:

1. Click Start
2. Click Run
3. Type: regedit
4. Click OK
5. Open or browser down to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
6. Right click in the right hand pane
7. Select New > DWORD value
8. Set the DWORD name to UserEnvDebugLevel
9. Double-click the UserEnvDebugLevel value, set the data to: 0×00030002

After you add this value, Windows will create the following file:

C:\Windows\Debug\UserMode\userenv.log

Now,  by logging out and back into Windows, a whole bunch of great information got logged into the userenv.log file.

In my case, the login was being slowed down quite a bit on the userinit.exe, and the explorer.exe. Of course, that didn’t really help me that much unfortunately, at least not  by directly looking at that log, but, I knew that I had realtime scanning turned on on my Anti-Virus, so, I tried turning that off, and Bingo! the speed got restored back to normal. So now I have to figure out what I need to tweak in A/V to now allow explorer to be hung up like this.

One word of caution: since userenv.log logs pretty much every action on the computer related to files, it can become quite big. So, be sure to turn if off , by deleting that registry entry in step #5, or you will be dealing with a full hard drive in a couple of days.

A couple of days ago, I was dealing with the issue of trying to have home directories residing on Mac servers where the users would connect to these home directories which are auto created from their Mac workstations, but also, need these same home directories to be available for mapping via login script to the Windows clients.

The problem that I was faced with, which also matches my philosophy about security, was that everywhere else where I had created shares, I had them setup as hidden shares. Something makes me uneasy knowing that users would be able to just browse all shares (Even though they can’t really access them) if the shares are not hidden.

So, in all my Windows environments, where user data is on Windows shares, the path looks something like this:

D:\User\Students\%USERNAME% with a share point physically pointing to D:\User, and named user$, so the path to the user’s home directory from a UNC perspective would look like this:

\\servername\user$\students\%USERNAME%

Can you guess where the problem is on a Mac, trying to create the same type of share?

\\servername\user$\students\%USERNAME%

From my research, it doesn’t seem like it’s even possible to create a hidden share from Mac OS X Server, at least not natively. I have tried everything, from changing the name of the share to have a “$” sign in it, to changing the share name in the SMB protocol options. Non worked, or returned the expected result.

The solution ended up being a hack, it’s not permanent, as it will revert back to non hidden state if any changes are made to that share point, but, realistically speaking, once a share is created, it’s permanently there, or at least long term.

To make a share hidden on a Mac, so that Windows can access it, create the Mac share , and enable the SMB protocol, and specify the name of the share. To be consistent with the above example, we’ll name the sharepoint: “user”

Once the share is created, and all the ACLs are set, open up Terminal, and su – to root

then: cd /var/samba/shares

The share we just created above will show up in that directory, just rename that to user$:

mv user user$

Now, try to access the share like you would from Windows: \\servername\user$\students\%USERNAME%

You will notice that you are now able to do so without any problems.

Of course, this article is only explaining how to create a share, and not how to properly configure Samba. There is additional details that you need to be aware of when configuring Samba, mostly related to user authentication, especially, if the Macs are not authenticating to a common directory.  This article can give a bit of an insight on how that works: http://www.samba.org/samba/docs/using_samba/appf.html

Recently I have been trying to use Google Chrome as my main browser, just to see how it would compare with Firefox, and surprisingly, I’ve been quite impressed, to the point where I don’t really mind it. There are a few things that are not completely up to par with Chrome, like some websites (forms) not working quite correctly, and some utilities and extensions that I used in Firefox don’t work quite the same in Chrome. Fortunately, the gap is being filled by having most of these utilities that would otherwise be browser-based, convert to being server based (or in the cloud). Most recently, GMAIL’s formatted HTML signatures becoming native within the GMAIL settings, eliminating the need to use an extension from Greasemonkey, or WiseStamp.

I digress regarding the comparison of Google Chrome vs. Firefox, at least for the purposes of this article. What I really wanted to address is a nice feature that I recently just discovered in Chrome, and that is the Address Bar searching, without any added extensions. If you are a Firefox user, this would be quite close to the functionality of the Omnibar extension.

If you do use Chrome on a regular basis, you may already know that typing any terms in the address bar, will perform a search in Google. However, did you know that if you wanted to search elsewhere, there is a whole slew of search engines that can be pointed to straight from the address bar? You can get to it by right clicking on the Address Bar, and selecting: “Edit Search Engines”…

Once you do that, you will get the list:

From here, you can change the search engines that can be used, along with the keywords associated with them. For any search engines that may have overlapping first characters, you just have to type enough letters of the search engine to make it unique, and press tab. For for Wikipedia, I type wik and press tab:

Then type your search query and press enter, and voila, you are in Wikipedia, with the search results.

Pretty slick!

The question of calendar syncing has been quite a big one on the forums on the net. I was also one that has a problem figuring out how to sync all my calendars, and I kept doing more research and experimentation until I finally found perfect solution that seems to work across the board. That is what you’re here for right?

Alright, in this blog entry, I’m going to try to give as much detail as I can based on the scenario that I have in my calendars, as I think my situation covers in part or in all, most other people’s situations. From these different steps, you can take any part you want, and apply it to your particular setup to get what you need.

So let’s get started. I’m going to describe everything based on the setup that I currently have running. This involves: iCal, gCAL, Outlook, and 3rd party calendars, including shared Google calendars, and Tungle meeting organizer.  Now before we continue, let me put in a warning before starting:

The process you’re about to see requires performing major surgery on your calendars. There is no scripting, or crazy techy stuff involved, but you have to be methodical to make this whole thing work.

.. continue reading ..