Dutch log

I’ve been involved in commercially supporting Windows networks for almost 5 years now, having dealt with a hundreds of users across dozens of different companies.  Most of the clients we support are “small businesses”, which makes sense, as it is quoted that as 97.3% of private enterprise in NZ is small/medium sized, accounting for 49.4% of private sector employment.

These companies, in the most part, don’t have the infrastructure for a large, homogeneous IT environment.

And you know what?  They couldn’t care less.

They make do with what they always have - buying PCs piecemeal, having Office 2000 on some PCs and Office 2003 on others, and - the kicker - knowing everyone else’s passwords, instead of sharing data.  Even though products like Microsoft Exchange allow you to do things like delegate access to someone else’s mailbox, they still claim they need to all have their passwords set to ‘password’, or documented in a book, in case they need to sit at someone else’s PC.

People don’t do what PCs suggest they should do. No one really wants the multi user functionality that PCs have now.  In small business, people want to be able to use the line-of-business application, a web browser, and access their own e-mail and files. They might like the idea of having some personalisation (some care for it, some don’t), but overall, having to log out as you and log in as me takes longer than the effort required just to use the application as set up on your profile.

So, as a sysadmin, I want people to use strong passwords.  I have to wean them off the idea of needing someone else’s password to get at their data.  And I want to work how they work, not how I think they want to.  They want the desktop you use when you’re filling in for someone to look like it did when they were learning over the first person’s shoulder.

The primary solution put forward by Microsoft is “roaming profiles”, where you can log into any machine, and have your applications loaded.  Say you’ve got a shortcut to Word 2003 on your desktop, and you roam that profile to a machine with Word 2000 on it.  Doesn’t work.  Good for volume licensed customers with the same software on all PCs, but not good for us.  Doubly bad when you look at how people actually work - the accounts clerk has MYOB and payroll software installed, some managers will have banking software for authorising transactions, sales people may have a line-of-business application that analysts don’t need, etc.  It’s not worth ensuring that the software is on everyone’s machine, it means unnecessary licensing costs, and in the case of things like payroll software, people want to know it’s not available to everyone.

So, roaming profiles are out.

When someone is away, their mail and phone are diverted, but their PC sits there unused, or someone has to sit at the desk - they try and find the icons you used to click, but their new profile doesn’t have the shortcuts, or the per-user registry keys required for some random application.

Let’s look at some other possible solutions:

Terminal services or Citrix MetaFrame

Put everyone on a thin client and make everyone use a central server.  Good plan, large investment required, takes a lot of time to change from an office of fat-clients to a thin-client environment, and not all SME apps are TS friendly.  Also, if you scale to needing more than one TS, then you’re back at square 1 with needing the apps to be in synch across two machines.

Virtual machinery

Abstract the access away from the machine - have a bunch of passwords all able to unlock the same machine.  Wasteful.

Change someones password temporarily if you need to use their account

Tried this.  At present, there is no way for the Administrator to change someone’s password, store the original hash, and set it back at a later date.  I think it’s worth implementing though.

Cheat biometrics

Biometric sensors, like the fingerprint scanner on my T60 laptop, can be ‘cheated’: in an office of 10 people, with 10 fingerprints able to be stored, why not store everyone’s fingerprint on everyone’s computer?  Requires buying a scanner for everyone’s PC.

Insecure machine accounts, delegated access to data

Why not have everyone have a 20 character password, but have a single password for logging into the machine in the morning?  You could have a “machine user” account on each machine, and delegate e-mail access for everyone necessary to the machine.  A bit more administrative overhead but a possible solution.

Craig’s “Silver Bullet” answer

My favourite suggestion is delegating access to your profile, or your profile/PC combination.  This is what Exchange lets you do now with e-mail - why not extend this to user accounts also?  Presumably, the component (a “GINA“) that that handles authentication for the fingerprint reader, could be made to start loading another account, separate from the one you entered the password for?

Therefore, we can have a 1:1 mapping of people to passwords, so no-one ever has to know anyone else’s, and then we can have a 1:many between computers and users, without needing messy multiple profiles.

Anyone see any problems with this approach?  If not, why haven’t you written it yet?  Look perhaps at pGina as a base. My (ex-)small businesses will pay.

Per my previous post on upload progress in Rails, I can now confirm:

• Mongrel upload progress works as long as you’re not using –prefix to host the application under a subdirectory
• As Brad Ediger points out, Pound works really well as a load-balancer and SSL offload engine for Mongrel with upload progress.
• The packages in Ubuntu have a pretty fatal bug - Pound segfaults and dies on any connection.
• Due to an OpenSSL bug, the error SSL_CTX_use_certificate_chain_file failed - aborted” could refer to any error, such as “typed the path to the certificate wrong”. Run pound inside strace to confirm.
• If you have a chained root SSL certificate, it’s a pain the ass to get Pound to see it:

The certificates must be in PEM format and must be sorted starting with the subject’s certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

Which means, cat site.cer chain.cer Equifax_Secure_Global_eBusiness_CA-1.cer site.key > site.pem.

I’ve backported Pound to Ubuntu Dapper, from Debian Testing. Dapper only has 1.0, which might work, but the configuration has changed beween 1.x and 2.x, which makes the examples incorrect.

I’ve built packages for SpamAssassin 3.2.0 for Ubuntu Dapper. They are available in my firewall repository with the dependencies (libnet-dns-perl, libnetaddr-ip-perl, libmail-spf-perl):

deb http://ubuntu.hs.net.nz dapper firewall

If you use this repository, you’ll get a new version of ClamAV, and some other packages also. Beware.

It was a bit of a mission to build, but made easier with the Prevu tool. This is like pbuilder for backports, and anyone doing anything with backports should use it. You can use the 0.4.1 release on Sourceforge on Dapper.

The ACT! contact management application is a pig. There, I’ve said it. It’s one of those programs that keeps changing owners - that’s how much of a pig it is. Seems no-one really wants it.

They re-wrote it in .NET a couple of versions ago, and it ought to be better, but it isn’t. ACT! throws “Object reference: Not set to an instance of an object.” (a reasonably common .NET error) whenever it feels like it.

In my particular case, I could open it fine when using a Citrix desktop session, but as a published application, it would die all the time.

I tracked the problem to the seamless window. When you run seamlessly, you get Citrix’s WFSHELL.EXE running, and not EXPLORER.EXE. You can force a published application to run at a certain screen size, which runs as if you were in a desktop. Hopefully the ACT! forums will give me a better answer.

Are you getting “The specified directory service attribute or value does not exist.” when connecting to Exchange IMAP? Wait a while. This error will go away - if you’ve just mail-enabled your account, Exchange will accept the username and password now, but it will take a few minutes for the mailbox to actually catch up.

root@redhut:/usr/lib/ruby/gems/1.8# gem cleanup
ERROR:  While executing gem … (RuntimeError)
    Unknown command cleanup

It’s a bug in 0.9.3, and it will be fixed in an upcoming release.

Found an interesting problem this morning - Access 2003 fires up Windows Installer (msiexec.exe) every time you start it, and for users without administrator rights, it just doesn’t go.

After looking at dozens of newsgroup posts and trying a few solutions, I finally had enough debugging information to find the solution that worked: registry keys are missing from HKLM\Software\Microsoft\Jet\4.0\Engines. Copy them from another machine (changing paths where required) and it works again!  Would of course love to know what caused a bunch of registry keys to just disappear…

For those interested, I found that msiexec was writing to a log file using Filemon, and the log file contained the error “Cannot Open Jet XL ISAM registry key” - descriptive enough to find the solution.

Found an interesting problem this morning - Access 2003 fires up Windows Installer (msiexec.exe) every time you start it, and for users without administrator rights, it just doesn’t go.

After looking at dozens of newsgroup posts and trying a few solutions, I finally had enough debugging information to find the solution that worked: registry keys are missing from HKLM\Software\Microsoft\Jet\4.0\Engines. Copy them from another machine (changing paths where required) and it works again!  Would of course love to know what caused a bunch of registry keys to just disappear…

For those interested, I found that msiexec was writing to a log file using Filemon, and the log file contained the error “Cannot Open Jet XL ISAM registry key” - descriptive enough to find the solution.

I’m going on a big trip in a few months, and figure it’s a good time to start planning a bit more actively.

I’ve used the “Getting Things Done” methodology in my e-mail for a while (basically: your inbox should always be empty, you should have an “Action this” folder and a “Reference” folder, and you should either deal with an incoming e-mail immediately or file it into one of these two folders for later processing).  It seems like it might be fun to try it a bit more with the things I need to arrange before I go - you really do have to break things down into small steps when it’s “move half way across the world for fun”.  So I’m looking at Tracks, a GTD program written in Ruby on Rails.

Before setting this up though, I needed to play with my web host a little, so have categorized my posts to this site.  This crosses something off my aforementioned list-of-things-to-do, and also means that I will be a bit easier to read on planet.geek.nz, where I am now showing up.  Also, I’ll probably do the whole Postcards from Uncle Travelling Matt thing, and I’m sure my Mum will find posts about Exim a bit over her head.

I’ve also seen a lot of people using Google Calendar, and now there is a way to get Thunderbird to use it directly, and you can publish stuff to the web in a neat fashion, I might see if it can arrange my trip for me.

Any other suggestions are welcome, bearing in mind I will need them to be easily accessible from anywhere.

I’m going on a big trip in a few months, and figure it’s a good time to start planning a bit more actively.

I’ve used the “Getting Things Done” methodology in my e-mail for a while (basically: your inbox should always be empty, you should have an “Action this” folder and a “Reference” folder, and you should either deal with an incoming e-mail immediately or file it into one of these two folders for later processing).  It seems like it might be fun to try it a bit more with the things I need to arrange before I go - you really do have to break things down into small steps when it’s “move half way across the world for fun”.  So I’m looking at Tracks, a GTD program written in Ruby on Rails.

Before setting this up though, I needed to play with my web host a little, so have categorized my posts to this site.  This crosses something off my aforementioned list-of-things-to-do, and also means that I will be a bit easier to read on planet.geek.nz, where I am now showing up.  Also, I’ll probably do the whole Postcards from Uncle Travelling Matt thing, and I’m sure my Mum will find posts about Exim a bit over her head.

I’ve also seen a lot of people using Google Calendar, and now there is a way to get Thunderbird to use it directly, and you can publish stuff to the web in a neat fashion, I might see if it can arrange my trip for me.

Any other suggestions are welcome, bearing in mind I will need them to be easily accessible from anywhere.

Once upon a time, there was a race condition between udev and device-mapper (the kernel interface used for EVMS and LVM2). DM would create and destroy devices regularly, say in the action of creating an LVM snapshot, and udev would say “ooh, shiny new device created” and try and do stuff with it, only to find it had gone away.

For some time, the fix for Ubuntu was a udev rule instructing it to ignore dm-N devices, as such:

KERNEL=="dm-[0-9]*", OPTIONS+="ignore_device"

All well and good, until they fixed that bug in Feisty. Now, if you still have that option in your udev rules, you will get LVM snapshots taking 10 minutes to create, and you’ll also get LVM not starting properly at boot.

Check your workarounds when you upgrade packages. Sometimes, they not only don’t work around any more, they cause all new problems.

I don’t often write code, but I do find it’s a good complement to cricket watching. So, in honour of New Zealand playing Sri Lanka in the World Cup semi-final, I’m proud to announce the release of the first public beta of the IT Partners ProfileTool.

ProfileTool lets you take a Windows 2000 or XP user’s profile and assign it to a different user, without having to copy any files or perform any manual procedures.

This is a common task for people who are taking a network of PCs that have not been on a domain, and joining them to one; or if you replace a domain controller without keeping security information, which is sometimes done on sites upgrading from a badly installed SBS 2000 installation to a nicely installed SBS 2003 installation.

It also has useful features for deleting a profile off the disk/from the registry, and changing profiles from roaming to local, replicating the features of the User Profiles capplet.

The source is available under the Mozilla Public License, with the implication of “Do what you like with this code, but if you improve it, I’d like your source to come back to me please”.

Do you find you get gray boxes when you’re looking at a web page with a Java applet (such as the Companies Office or JavaTester)?

You know you have the Sun JVM installed correctly, there are no traces of the Microsoft JVM, the plugin exists, but you can’t see it in either Firefox or IE?

I had this problem for some time, and have finally found the cause - I have a custom transform for deploying Java, which turned off automatic updates, set the default JVM, etc, and also accepted the EULA.  As of about 1.5.0 Update 6,  setting EULA to 0 means that the JVM looks for EULA.DLL, doesn’t find it, and silently dies.

Don’t set the EULA property to 0 anymore. Ignore it.

You also used to be able to turn off the Automatic Updates in the properties table, but you can’t any more.  You have to edit the MSI to run a registry script as the last action, and even then there are reports that Java will create the links on first-run.  I don’t want my workstations getting a pop-up message saying Java will update when I carefully select the version to deploy, thanks Sun!