"In het verleden behaalde resultaten bieden geen garanties voor de toekomst"

Current filter: »Inter-Actief« (Click tag to remove it or click and/or to switch it.)

About this blog

These are the ramblings of Matthijs Kooijman, concerning the software he hacks on, hobbies he has and occasionally his personal life.

Most content on this site is licensed under the WTFPL, version 2 (details).

Sun Mon Tue Wed Thu Fri Sat
29 30 31    
Powered by Blosxom &Perl onion
(With plugins: config, extensionless, hide, tagging, Markdown, macros, breadcrumbs, calendar, directorybrowse, entries_index, feedback, flavourdir, include, interpolate_fancy, listplugins, menu, pagetype, preview, seemore, storynum, storytitle, writeback_recent, moreentries)
Valid XHTML 1.0 Strict & CSS
Planning at ORTEC

Right now, I'm in Gouda in a bus heading towards ORTEC, a company that works with planning software and algorithms. Today they organise a in-house day. Together with a number of math students of Study Association Abacus we are going to work on a case titled "Restrictions within the Dijkstra algorithm".

So far we've been underway for 3 hours to get here, currently we're bouncing around in this bus, since the driver seemingly wants to catch up his delay. We're off to a good start, since as soon as we get there, we'll start with lunch (probably after a short boring intro talk). Read on for a "live" report :-)

See more ...

5 comments -:- permalink -:- 17:36
Educational market and Laserquest

Today was the "educational market" (Onderwijsmarkt), organised by Inter-Actief. Main attraction where the design projects, which had all made a (more or less) pretty poster presenting their project and findings.

Since we had been well-warned to take care of the poster well before today, we started work on it yesterday, since it was the first moment anyone had some free time since we decided we (Marijn and I) would stop postponing it last friday.

Making a poster

I had already made some preparations on monday in the train, mainly thinking about what should be on the poster and writing some text to put on there. I started yesterday morning (got up at 8 for this!) with actually putting together a poster with a few screenshots and the text I had written.

After some fighting with the vector drawing program [Inkscape], which we used since Marijn knew it pretty well, I had put together something really, really, ugly and unfinished. Being out of time, I bailed and left the thing to Marijn. He managed to turn it into a pretty decent poster with nice colours and lines and all.

Printing a poster

He gave it back to me, so I could take care of the printing (he had to work this morning). I spent an hour or so last night battling with the various svg, (e)ps and pdf files, which turned out to contain a subtle error somewhere. This made all my attempts to properly chop up the A0 poster in 8 A3 pages fail (we were already too late to let it print in A0). After doing some more CDP homework, I gave up on it and went to bed. Since I did not expect the printing of the poster to work in one try, I slept less than four hours and got up early. Pling Poster

This morning was spent trying various file formats, drawing programs and printer settings at the print shop (The guy there always lets me fiddle around myself) and at first gave me a poster (that is, in 8 A3 pieces) in which all the images were black and white. Being happy that I had got at least something, I returned to Inter-Actief to see if the adobe suite could help me out.

After some fiddling around with Illustrator, I managed to convince it to print my poster on 8 A3 sheets. Using the Adobe pdf printer, I turned this into a nice, self-contained pdf to print at the print shop. Worked out pretty well, this is something we can do more often at Inter-Actief, since we currently use Photoshop to split a poster into four png images to be printed on A3 paper.

Presenting a poster

The presentation of the poster was pretty informal, everybody walked into and out of the room and looked around, playing our game and looking at our poster. We also got an "official" visit from the jury, that had to select the best poster of the day.

Later, at the drink afterwards, the winner of the best poster award was announced. After some honourful mentions, they announced our poster to be the best one. Pretty nifty, since it earned me (the other group members were already gone) an applepie. Pretty weird too, since the poster was really a not very thought through bunch of information on 8 poorly taped together A3 sheets. Ah well, apparently I had written some interesting things by accident and Marijn did a good job at layouting it.


After such a night of little sleep and an intensive day, it was time to get to bed early and sleep a lot. So, I went over to Inter-Actief at 1930 to go Laserquesting. I had done it one time before and really liked it and since I had no other appointments this time (as I had the last two times), I decided to go anyway. Also, the last time only three people wanted to go and it was canceled, didn't want to break the mood this time ;-)

After three immensely intensive games of laserquest (my muscles will probably be aching tommorrow), I am now really ready to go to bed and sleep a lot. I'll see about that class tomorrow morning (1040), might not go there if I'm still tired then.

So, time for bed. Goodnight.

0 comments -:- permalink -:- 17:35
Paintbal & Toothpaste

Did you know that the sound of a nearly empty tube of toothpaste is almost identical to the sound of a paintbal gun, only less loud?

2 comments -:- permalink -:- 01:29
Winbind, idmap_ad and machine accounts

Small post about a stupid problem I was having tonight with Samba. As you may know, Inter-Actief uses samba on its fileserver, using active directory for authentication.

We have enabled the idmap_ad module, by putting idmap backend = ad in smb.conf. All our users are assigned a unix uid in the active director, so they can login. This works okay for normal users, they can login, access files, etc. Yet, this fails for software deployment.

We are using standard windows software deployment techniques, using group policies in our AD. Yet, when clients try to install that software, nobody is logged in yet, so the install process runs as the machine account of the machine. But when trying to authenticate with this account at the fileserver, it can't find the unix uid for the account, so the login fails.

Solving this proved easy (though it took me half an evening to think of it): I added the map to guest = Bad Uid option to my smb.conf. This ensures that any failed uid lookup is mapped to my guest user, nobody. Since the share that provides the deployed software is accessible by guest users (guest ok = yes), this allows clients to access deployed software.

My clients are now able to access the files on the fileserver. Now I am up for the next problem, according to samba logs, they stopped trying, while the windows event viewer still says installation failed because the installation source was not available. Gr.... Stupid windows....

0 comments -:- permalink -:- 23:50
Fixing Nested groups with winbind part 1: Why the hell is it broken?

I've previously mentioned nested groups not working on our active directory/winbind/FreeBSD setup. For some reason groups in groups were not properly unfolded by winbind. I suspected this to be because the "domain functional level" was "windows 200 mixed", which is more compatible with older DC's. By now, we've moved to a new DC and raised the level to "windows 2003 native". Unfortunately, this didn't help one tiny bit. Still broken.

For example, the user mkooijma is present in various groups on our AD. Most of these groups are also member of the Actievelingen group, so mkooijma should be too. Yet, running id mkooijma, gives

uid=10008(mkooijma) gid=10000(Domain Users) groups=10000(Domain Users),
  11001(Beheer), 11013(KasCo), 11004(BoCie), 11019(NoiZiA), 11029(Webredactie)

So, no Actievelingen group there.

Again motivated to start digging into source code to find out why this is, I ended up finding a nice big FIXME in the code. That part of the code, which was used by the id utility on FreeBSD (and presumably also by the file system), does not support nested groups.

Seeing a fine oppurtunity to do some coding, I've hacked up a couple of lines of code to supported nested groups there. And I'll be damned, but it worked. Running id mkooijma now gives:

uid=10008(mkooijma) gid=10000(Domain Users) groups=10000(Domain Users),
    11001(Beheer), 11013(KasCo), 10001(Actievelingen), 11004(BoCie),
    11019(NoiZiA), 10002(Webmasters.nested), 11029(Webredactie)

Nice job, so I submitted my patch to the samba-technical mailing list yesterday. I also started hanging out in #samba-technical, where I got into a discussion with Wilco (which I happen to know IRL) this morning about my patch. We discussed in what way I could make it not break on groups that are members of themselves (indirectly), or users that would end up in the same group multiple times. A few minutes into this discussion, vl walked in on IRC. Since he apparently has been working on winbind group mappings before, he pointed me on a few more fundamental flaws of my approach.

It turns out that fixing the getgrent NSS interface is not really the way to go, for two reasons.

  • Samba's getgrent interface is not really working that well. It does not support everything as it should, such as nested groups. Yet, the code is stable now, and trying to support nested groups, but not accounting for all possible scenarios will make the code unstable. Or more to the point:

    17:01 < blathijs> okay, so the current code doesn't work but doesn't break
    17:01 < blathijs> but my patch makes it break :-)
  • Using getgrent for finding the groups a user is in is terribly inefficient. In short, getgrent returns a list of members for a group. So, to get the groups a user is on using getgrent the code has to iterate all existing groups and see if the user is in that particular group. Doable for a couple of groups, but it will not scale to hundreds or thousands groups and users.

    Also, since active directory and LDAP store group membership as "memberOf" attributes for the users, creating a list of members for a group probably involves iterating all users to find members (not sure about that though).

It turns out there is a getgrouplist function in FreeBSD and there is also a getgrouplist function in winbind. Yet, when calling getgrouplist, this call is not forwarded to winbind through nsswitch, but implemented by iterating with getgrent (as described above. getgrent is forwarded through nsswitch). So, FreeBSD should just call getgrouplist through nsswitch and be done with it?

Also, these features are supported on linux, so it should be possible. Wilco pointed out than NetBSD does support this and has nicely documented how. Basically, the problem is that the getgrouplist function uses a parameter is input and output paramater, which makes it unsuitable to forward using nss. NetBSD fixes this by making getgrouplist a wrapper around a (new) getgroupmembership function, which has a slightly different interface that is compatible with nss.

Yet, it seems that this getgroupmembership nss function is not implemented by winbind. This probably means NetBSD was changed to support this with other nss backends, but nobody got around to adding the function to winbind yet. But, we know that linux does support this using nss and winbind, so how is that implemented then?

It turns out that linux has implemented something similar, yet it wraps getgrouplist in a nss-compatible function initgroups_dyn. It's interface is practically compatible with getgroupmembership, the only difference is that getgroupmembership needs a preallocated buffer, while initgroups_dyn can allocate and resize the buffer itself when needed (though this seems like a better idea, the function must still be wrapped in getgrouplist, so it might not really matter anyway....).

Anyway, I now have a clear view what has to bo done. I will either:

  • Port getgrouplist nss code from NetBSD to FreeBSD and implement getgroupmembership in winbind (for which I can probably borrow code from nss_ldap, which I think supports both linux and NetBSD).
  • Port getgrouplist nss code from linux. This requires no winbind changes, since initgroups_dyn is already implemented in winbind.

Just now, I've found I'm not the only one that wants these changes. So I'll do some more exploring about the necessary changes soon, but now it's time for dinner.

Edit: I've looked at both Linux and NetBSD libc, and it seems NetBSD is the way to go. Both FreeBSD and NetBSD have taken their libc implementations from something called 4.4BSD-Lite2, meaning that both are already quite similar in contrast to Linux, whose libc is structured quite differently.

0 comments -:- permalink -:- 19:17
Nested groups and win2000 native mode

Have been fighting with our windows server 2003 domain controller and the various samba/winbind connected FreeBSD servers all day. My objectives were twofold: Properly configuring SFU and getting nested groups to work on our BSD machines.

The first proved relatively easy. Some PHP code that used the LDAP libraries to mess around in the AD directly gave all our users and groups their uids and gids. Works now. Next up was getting nested groups to work to centralize our access management some more.

The current setup is as follows: We have a group "WWW", which is the webcommittee. They should always be able to login to our webserver. Also the group "Beheer" should be able to login, they are our system administrators. Finally, we have the group "Webmasters", which are the webmasters from a few other comittees. Currently, there is a rule that allows these three groups to login. Ideally there should be one group "WebUsers" that is allowed to login and contains these three groups.

Looking around brings me to the "winbind nested groups" feature of samba/winbind. This seems like exactly what we need, but eventually this seems to be meant for samba running as DC only, which is not our case (we have a 2k3 DC). Also, looking through the source, this directive seems to have no function at all anymore...

Anyway, winbind should unwrap nested groups all by itself, people told me. So, my current setup should work. Well, surprise, it doesn't :-). Looking around some more makes me suspect putting our domain controller in "windows 2000 native mode" might help. Currently, our 2k3 server is running in "windows 2000 mixed mode", which is the default. This allows NT4 domain controllers to participate in the domain, so shouldn't really be needed for our setup. So, let's upgrade, right?

Well, not so fast... The "upgrade" button is surrounded with red markers and warnings, since the change is not reversible. Upgrading should not affect the DC itself much, nor any of the clients. We don't have any NT4 machines in our domain, so there should be no problem. Also, our samba servers should be able to talk in windows2000+ protocols, so probably no problem there. The thing is, if it breaks, there is no way back. And since it is at the end of my weekend and people need their systems tomorrow and I need my time (haven't actually gotten to doing anything since I've been struggling with samba since yesterday). So, next opportunity I get, 2000 mixed mode dies. Now, let's settle for not-so-centralized management and get our webserver logins back up.

Update: See this post for more info on the cause of the winbind problem.

1 comment -:- permalink -:- 22:23
Sendmail Horrors

As sysadmin of Inter-Actief, I have been working with our FreeBSD 6.0 webserver. After a bunch of permission and stability problems, everything seemed to be ok. We thought...

Now, somebody started complaining that the mails he had sent through this nice Joomla webinterface didn't arrive for half a day. We had some earlier problems, but that seemed to be just some incidental DNS failure. This time, about a dozen mails were stuk in our queue, due toe DNS failure. Since DNS was operating fine, something else was wrong

Diving into the wonderful world of sendmail (brr...) I found almost no useful documentation. After I while I found the "mailq" program that lists the queue. After disabling some security option somewhere, half the mails managed to get delivered: The most important half, which were in the "client mail queue". The mails in the "main mail queue" were still undelivered. What the hel is the difference anyway?

After venturing that enabling sendmail listening on our internet connection might solve stuff, there was the issue of trying that. Enabling the sendmailport and restarting sendmail didn't seem to fix it. Now, did it not work. But, didn't it work, or did sendmail just not get around to trying it again? If I could just force sendmail to retry everything, then I'd know for sure.

Right, after plowing down some configuration files, handbooks and manpages, the "sendmail -q" command seemed to do the trick. I think. Still no succes anyway... By the way, I was looking at the sendmail config files (I had to spend 10 minutes looking around in files and browsing the internet before I found the actual config file) and encountered the following marvelous snippet:

R<$+> <$*> <$- $-> <$*>         $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$*> <+ $-> <$*>      $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
R<?> <$+ + $* @> <$*> <$- $-> <$*>
                        $: <$(access $5:$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
R<?> <$+ + $* @> <$*> <+ $-> <$*>
                        $: <$(access $1+*@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
R<?> <$+ + $* @> <$*> <$- $-> <$*>
                        $: <$(access $5:$1@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
R<?> <$+ + $* @> <$*> <+ $-> <$*>
                        $: <$(access $1@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
R<?> <$+> <$*> <$- $-> <$*>     $@ <$2> <$5>
R<$+ <TMPF>> <$*> <$- $-> <$*>  $@ <<TMPF>> <$5>
R<$+> <$*> <$- $-> <$*>         $@ <$1> <$5>

I am not sure what it is supposed to do, but I think this is supposed to the assembly form of brainfuck, that gets compiled to the actual sendmail program. Or something. Anyway, yikes! Oh and in case you were wondering, your layout is wrong, I did not add any spaces here, this is just how the configuration file looks....

0 comments -:- permalink -:- 03:21
Copyright by Matthijs Kooijman