Category: SysAdmin

uHOWTO: NTP in Windows 2003 – manual intervention required

Atomic Clock Up to Windows 2000, using an NTP server as the time source was as simple as entering the server address in the Time/Date control panel. From 2003 onwards, you must follow the procedure detailed in KB816042 to configure the Windows Time service to use an external time source.

Paraphrasing:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type=”NTP”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags=5
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters=”pool.ntp.org,0x1″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval=900
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection=3600
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection =3600
  • net stop w32time && net start w32time

You may replace pool.ntp.org above for any other server (or servers, space-separated) with “,0x1” after each host name. And keep an eye in the Event Log after you restart the service.

MySQL fails after upgrade to 5.1 on Debian Squeeze

Are you running Debian Squeeze?
Did you upgrade to mysql-server-5.1 ?
Are you getting a message like this?

Starting MySQL database server: mysqld . . . . . . . . . . . . . . failed!

Did you read /usr/share/doc/mysql-server-5.1/README.Debian.gz ?
Go read it again and this time *comment out* skip-bdb in /etc/mysql/my.cnf:
perl -i.bak -pe 's/^(skip-bdb)/#$1/' /etc/mysql/my.cnf

uHOWTO: Recover stuck modified keys from VMware Player or Workstation

If you use VMware Player or VMware workstation under Linux and you’re an alt-tab fan like me, you might end up with stuck modifier keys, so you can’t use keys like Ctrl, Alt or Shift outside of VMware. Xiao Feng has written a nice script to recover from this annoying condition without having to reboot, and I tought I’d share it with everyone out there:

#!/bin/sh
# Xiao Feng's "Recovering from stuck modifier keys caused by VMware"
# http://bitubique.com/tutorials/recovering-from-stuck-modifier-keys
/usr/bin/xmodmap - << fixme clear shift add shift = Shift_L Shift_R clear lock add lock = Caps_Lock clear control add control = Control_L Control_R clear mod1 add mod1 = Alt_L Alt_R clear mod2 add mod2 = Num_Lock clear mod3 clear mod4 add mod4 = Super_L Super_R clear mod5 add mod5 = Scroll_Lock fixme xset r on xset m 3.5 4 xset b off xset s off

A brief note about Spamhaus Policy Block List

After getting in closer-than-usual acquaintance with my mail server logs I thought I’d share a brief note I found in the Spamhaus PBL FAQ:

The first thing to know is: THE PBL IS NOT A BLACKLIST.

Oh, and since you’re already there you may want to linger a bit in this warning:

WARNING! Some post-delivery filters use “full Received line traversal” or “deep parsing”, where the filter reads all the IPs in the Received lines. Legitimate users, correctly sending good mail out through their ISP’s smarthost, will have PBL-listed IPs show up in the first (lowest) Received header where their ISP picks it up. Such mail should not be blocked! So, you should tell your filters to stop comparing IPs against PBL at the IP which hands off to your mail server! That last hand-off IP is the one which PBL is designed to check. If you cannot configure your filters that way, then do not use PBL to filter your mail. Instead, you may wish to use sbl-xbl.spamhaus.org, but even that may have unacceptable “false positive” filtering, for example when a an exploited end-user machine sends legitimate mail out through the ISP smarthost, or when the dynamic assignment changes the IP to an uninfected machine. Do not use PBL or XBL if you do not understand the issues of “deep parsing”.

(Emphasis mine)
So if your top-of-the-line multi-thousand-dollar antispam appliance starts blocking all my email just because there’s a dynamic IP address somewhere in the header and there’s no freaking way to turn it off please go ask for a refund. And stop bouncing my messages.
Oh and by the way the default SpamAssassin configuration in Debian assigns a 0.905 score if the last hop is in PBL.

score RCVD_IN_PBL 0 0.509 0 0.905
...
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')

And yes, SpamAssassin does the right thing and checks only the *last* external address — I’ve seen the code:

package Mail::SpamAssassin::PerMsgStatus;
...
# If name is foo-lastexternal, check only the Received header just before
# it enters our internal networks; we can trust it and it's the one that
# passed mail between networks

So once again kudos to Open Source — and Common Sense.

uHOWTO: Use your N95 8G as a bluetooth modem under Linux with Telcel


For completeness, here’s a followup to my post about using a Nokia N95 as a bluetooth modem under Linux. This is a working wvdial configuration for use with Telcel in Mexico.
Remember to enter your SIM’s PIN in pin-telcel, and refer to my previous post for complete instructions.

[Dialer pin-telcel]
Modem = /dev/rfcomm0
Baud = 460800
Init1 =AT+Cpin=XXXX

[Dialer telcel]
Phone = *99***1#
Username = telcel
Password = telcel
Stupid Mode = 1
Dial Command = ATDT
Check Def Route = on
Dial Attempts = 3
Modem = /dev/rfcomm0
Baud = 460800
Init2 = ATZ
Init3 = ATQ0 V1 E0 S0=0 &C1 &D2 +FCLASS=0
Init4 = AT+CGDCONT=1,"IP","internet.itelcel.com"
ISDN = 0
Modem Type = Analog Modem

To use it, enter

# wvdial vodafone-pin
# wvdial vodafone

Enjoy!

HOWTO: Use your Nokia N95 Cellphone as a Bluetooth modem for Linux

Did you know that you can use your data-enabled N95 to get a thethered Internet connection from Linux? The access mode and speed will depend on your actual coberture, and as usual YMMV, but I’ve been using this setup for a few months and it works fine.

$ sudo -s
# apt-get install bluetooth bluez-pin bluez-utils kdebluetooth wvdial

Now in user mode use KBlueMon to find out the Bluetooth address of your device and write it down.
Then go ahead and initiate an OBEX file transfer to make sure that you can actually link to your phone and to establish a trust relationship. In your phone add the Laptop to your trusted device list, so it won’t nag you whenever you establish a link.
Now edit /etc/bluetooth/rfcomm.conf :

rfcomm0 {
bind yes;
device 00:21:09:XX:XX:XX;
channel 2;
}

Replace your own device address after “device”.
Now edit /etc/wvdial to add these two entries:

[Dialer pin-vodafone]
Modem = /dev/rfcomm0
Baud = 460800
Init1 =AT+Cpin=XXXX

[Dialer vodafone]
Phone = *99***1#
Username = vodafone
Password = vodafone
Stupid Mode = 1
Dial Command = ATDT
Check Def Route = on
Dial Attempts = 3
Modem = /dev/rfcomm0
Baud = 460800
Init2 = ATZ
Init3 = ATQ0 V1 E0 S0=0 &C1 &D2 +FCLASS=0
Init4 = AT+CGDCONT=1,"IP","ac.vodafone.es"
ISDN = 0
Modem Type = Analog Modem

You can give them any name you want. I have defined several providers, to avoid confusions and to use the provider at hand. Replace the “XXXX” in Init1 with your SIM’s PIN.
Now to use them restart the Bluetooth subsystem:

# /etc/init.d/bluetooth restart

And use wvdial to dial out:

# wvdial vodafone-pin
# wvdial vodafone

You should get an Internet link, complete with an IP, a default route and a couple of DNS servers. If it doesn’t, reboot your phone liberally.
Please note that this might get expensive quite quickly unless you get a data plan from your provider. Go ahead and make their day.
Enjoy!

X forwarding through SSH in HP-UX

If you try to do X forwarding by SSHing to an HP-UX host, you may get the dreaded “Can’t get IP address for X11 DISPLAY.” error. This is more common than you might think, and the reason is that an out-of-the box installation of HP-UX has four or five /etc/nsswitch.conf *examples* for you to install, but not an actual /etc/nsswitch.conf file. I guess this is buried somewhere on the documentation — hey, it might even be a FAQ, but I guess that shipping with a reasonable default wouldn’t hurt.
Well anyway, the following minimal /etc/nsswitch.conf should do for the vast majority of scenarios I can imagine:

# echo "hosts: files dns" > /etc/nsswitch.conf

Now SSH X forwarding should work and a myriad other disasters waiting to happen will surely be averted.

Prodigy Infinitum, SMTP through port 25, botnets and such

dsl.jpgAfter pulling my hair for a couple of days I just realized that my DSL provider is blocking all outgoing connections to port 25 with an ICMP Unreachable packet, which translates as a totally bogus “no route to host” message (An ICMP RST would be more kosher, BTW). The only explanation that comes to my mind is that Telmex has finally realized that it has become one of the largest botnet hosts in the world and decided to do something about it. This is a terrible inconvenience for me, because I run a backup MX at my home office and all the email I write while I’m at home is relayed through it. And now it believes that it has been cut out from the Internet, and is suffering from Internet withdrawal syndrome. Oh, and all attempts to use an external relay -like my primary MTA or the office’s- through port 25 fail as well, so I have had to set up an elaborate workaround *just to send email*.
*Argh!* I hate to pay up for those ignorant Windows home users.
Add to that the fact that i get 800KBps tops in a 2GBps line, and recurrent reports of arbitrary bandwidth capping and Infinitum stops looking like a good alternative for home broadband. I’ll have to look for a cost-effective alternative, but after experiencing 20MBps/20EUR in Europe I’m afraid that I’ve been spoiled for life.
In the meantime, if you were expecting a mail from me in the last five days or so, I’m sorry to say that it is either on its way or lost forever.
Anyway… Merry Christmas!
Update 20080104: AJ Gibson points out in a comment that Telmex is willing to remove the block from your account if you are willing to jump through a few hoops. Just go to http://www.telmex.com/mx/asistencia/correoelectronico/faq_puerto_25.html and follow the instructions there. I registered yesterday and today I can connect back to external SMTP servers again. As mentioned in the comments, YMMV.

About typos in technical manuals

The product you are in charge of maintaining has been in active use for a decade. The manual is several megabytes long, and there’s an army of programmers, consultants and technical writers that make a living off it. As you might guess, it’s not an inexpensive product.
One of the routine tasks for that product -let’s say, “create a new UCM project”- is throughtly documented for the GUI use case, but the manual makes absolutely no mention of the CLI-based procedure. You go through the whole procedure armed with the aforementioned documentation and lots and lots of patience, second-guessing the developers and the technical writers every step of the way, but getting the work done with varying amounts of effort and frustration.
Then, in a key command, you hit a wall. The program complains:

Created project "gpa3_project".
cleartool: Error: Unknown policy name "POLICY_DELIVER_NCO_SELACTS" specified.
cleartool: Error: Cannot set all the policy pvars on project "gpa3_project".
Project "gpa3_project" is now ClearQuest-enabled and
linked to ClearQuest database "COFCQ".

Now “POLICY_DELIVER_NCO_SELACTS” returns *exactly* one match in Google, and it points to the aforementioned documentation. It’s “POLICY_DELIVER_NCO_SELACTS” all over.
After a lot of frustration,

strings /opt/rational/clearcase/linux_x86/shlib/libatriasum.so|grep -i policy_|sort

shows that “POLICY_DELIVER_NCO_SELACTS” is a typo. They really meant “POLICY_DELIVER_NCO_SELACT” instead. No final “S”, you see! And this happened SOME TIME IN THE LAST TEN FREAKING YEARS.
The list of things I’d like to do to the project managers, documentors, and technical writers of this particular product suite is too graphic even for the Internet.
And most importantly — how do they get away with these levels of incompetence?