Geek projects, tidbits and things I'm working on at the moment…

Well, I haven’t written anything in a while so I figured I’d put this into WP. I recently upgraded a couple of my iOS devices to 8.4 and sure enough, I couldn’t send emails. Come to find out, my services at home were using weaker DH encryption and I needed to fix them if I wanted to send email ever again from my iPhone.

First I worked on sendmail. I needed to first create a DH 2048 bit file using openssl:

openssl dhparam -out dh_2048.pem -2 2048

This produced a file in my /etc/pki/tls/certs folder which I can now configure sendmail.mc to use via adding this line:

define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh_2048.pem')

Next you can do a ‘make -C /etc/mail’ or simply restart sendmail as it will detect the changes and do it for you (did for me at least.) Email was now working as expected and I’m no longer seeing this in my /var/log/maillog folder:

Aug 1 11:01:10 Sauron sendmail[11796]: t71F0eh9011796: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 11:01:11 Sauron sendmail[11803]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1
Aug 1 11:01:11 Sauron sendmail[11803]: t71F1Ae8011803: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 11:01:11 Sauron sendmail[11804]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1
Aug 1 11:01:11 Sauron sendmail[11804]: t71F1BBU011804: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA

Now to take a look at Apache. I’m using an older version, I think 2.2.3-91 w/ CentOS so there’s only so much I can do regarding MITM attacks apparently. But I can explicitly tell Apache to NOT use weaker encryption protocols even though I can’t use the SSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}” option and specify my DH key.

Here’s what I did put in my ssl.conf file:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on

Which will at least help for now.

Here’s a couple of useful links:

https://weakdh.org/sysadmin.html
http://serverfault.com/questions/700655/sendmail-rejecting-some-connections-with-handshake-failure-ssl-alert-number-40
http://weldon.whipple.org/sendmail/wwstarttls.html
http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd
http://appleinsider.com/articles/15/07/10/how-to-resolve-mail-smtp-errors-in-os-x-10104-and-ios-84

We had an employee who had a broken installation of Office 2010 Pro Plus. We use Microsoft Online Services (now called Office 365) and in particular we use their E3 plan for most of our employees.

Simply doing a …

cd "%ProgramFiles(x86)%\Microsoft Office\Office14\"

dir *.vbs (you're looking for the OSPP.VBS file.)

cscript ospp.vbs /dstatus
(will show you something like this)
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

---Processing--------------------------
---------------------------------------
SKU ID: ae28e0ab-590f-4be3-b7f6-438dda6c0b1c
LICENSE NAME: Office 14, OfficeProPlusSub-Subscription edition
LICENSE DESCRIPTION: Office 14, TIMEBASED_SUB channel
LICENSE STATUS:  ---LICENSED---
ERROR CODE: 4004FC04 as licensed
ERROR CODE: 0x4004FC04
ERROR DESCRIPTION: The Software Licensing Service reported that 
the application is running within the timebased validity period.
Last 5 characters of installed product key: HMBFK
REMAINING GRACE: 26 days  (37247 minute(s) before expiring)
---------------------------------------
---------------------------------------
---Exiting-----------------------------

C:\Program Files (x86)\Microsoft Office\Office14>

Can show you whether or not you’ve got a problem. If you do, you can reactivate the Office subscription if yours shows —NOTIFICATIONS— for its license status by going into directory…

C:\Users\faileduser>cd "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14"

and running

osaui.exe /K or /F

via cmd with either /K to do a password reset or /F to change users or reset the subscription back to basics. You can also do a /r if you need to remove another device which is using your current subscription.

Here’s a couple of links:

http://support.microsoft.com/kb/2684927  (Very helpful! Gives the actual error codes your users will probably see!)

http://office.microsoft.com/en-us/word-help/reactivate-subscription-license-by-using-osaui-exe-HA102053194.aspx

http://support.microsoft.com/kb/2512834  (Remove some other device from your subscription. /r will show you a list and you can see whom to remove!)

http://technet.microsoft.com/en-us/library/gg702620.aspx (General troubleshooting tips for Office 365 Pro Plus)

http://blogs.technet.com/b/lystavlen/archive/2011/12/05/in-opp-five-is-the-magic-number-but-then-what.aspx

Last year I had an odd issue when installing CentOS 6.0 on a Supermicro motherboard with an Intel PCIe quad port GB nic using an 82576 chip. I got by the initial kernel panic by using pci=noaer as a kernel option but later encountered really weird kernel panics regarding the Intel nic again which required an additional pcie_aspm=off in my grub file. Pretty odd stuff really since this was a server and I wasn’t worried about managing my power consumption since we’re a small company and I simply want the server to stay on. There’s a number of good articles about ASPM & Linux over on the Phoronix.com website which I found very interesting.

Initial bug report from RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=704758

A number of Kernel parameters one can use at boot time to help troubleshoot things: http://www.kernel.org/doc/Documentation/kernel-parameters.txt

Initial Phoronix News article that got me wondering if Linux’s implementation of ASPM might be my problem: http://www.phoronix.com/scan.php?page=news_item&px=MTAwMjg

I can see how ASPM would be really important to laptop users sure, but when I’m installing a server I don’t need stuff shutting down on me when not in use. (Of course this is different for datacenters!)

This one took a while. Essentially I had lost my other bootable USB flash drive and needed to make another one. I had previously used an HP utility which did the heavy lifting for me but I couldn’t find it on the interwebs nor my HD to save my life. I essentially had to use FreeDOS and SysLinux to get the job done. I’m pretty sure the wiki page I found was using an older version so I had to download FreeDOS 1.0 to find the fat32lba.bss file which was eluding me.

I will never lose this USB thumb drive…ever…bit of a nightmare really.

Useful links:

http://sourceforge.net/apps/mediawiki/freedos/index.php?title=USB

http://www.kernel.org/pub/linux/utils/boot/syslinux/ (I grabbed version 4.05!)

http://www.freedos.org/download/

Just finished installing a fresh server with SharePoint 2010 Enterprise so an employee could look at the business intelligence dashboard stuff. While doing the install, I received an error about the MS Sync Framework 1.0 failing which caused the whole thing to screech to a halt. It would appear that I installed the .NET 4.0 stuff via Windows Updates which caused the .NET 1.0 Sync Framework to puke on me. Thankfully, MS had a hotfix for that which resolved my issue. You can see the Microsoft Sync Framework Runtime v1.0 listed on SharePoint 2010’s HW & SW requirements list.

http://support.microsoft.com/kb/962229

After I manually installed the hotfix, the “Install software prerequisites” continued and I had the SharePoint 2010 site up and running before lunch!

I’m a real big fan of nVidia’s Linux drivers for their GPUs and have installed them numerous times with CentOS 5. I just recently installed them under Red hat 6 (RHEL 6) and happened to notice a warning by the nVidia driver that Nouveau was already installed and needed to be removed first. Further investigation reveals that Fedora & the latest version of RHEL 6 are including Nouveau at the initial ramdisk so not only do you need to create your own modprobe.conf blacklist file but you also need to add a line on the end of your grub.conf file to tell the ramdisk not to load Nouveau at boot up.

First, creating a modprobe blacklist file to prevent the kernel from loading the Nouveau kernel module. You could easily add blacklist nouveau to any ole modprobe.conf file but you never know when your linux distribution may overwrite your modified file w/ the next update. You’re better off to just create your own modprobe blacklist file and dropping it inside /etc/modprobe.d/ folder. I went ahead and followed some directions I stumbled upon on the interwebs and created a file called /etc/modprobe.d/disable-nouveau.conf.

I then added the following to that file…

blacklist nouveau options nouveau modeset=0

Once that was done, I then needed to modify my /etc/grub.conffile so the initial ramdisk would stop loading Nouveau too. To do this I added rdblacklist=nouveauto my kernel vmlinuz line like such…

.
.
.
kernel /vmlinuz-2.6.32-71.14.1.el6.x86_64 ro root=UUID=209502fb-f4f0-4755-a275-de807916fb76 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=128M rhgb rdblacklist=nouveau
.
.
.
.

Oh ya, I always remove the “quiet” at the end of the line too. Something about watching all of the modules load…

Here’s a couple links as usual:

http://us.download.nvidia.com/XFree86/Linux-x86_64/260.19.36/README/commonproblems.html
http://www.if-not-true-then-false.com/2009/howto-install-nvidia-driver-on-fedora-and-just-disable-the-nouveau-driver/

I’m in the process of building up a SAN from scratch using SCST & CentOS. I’ve played around w/ kernels in the past but hadn’t done it in a while. When downloading 2.6.36.2 from Kernel.org recently I couldn’t get a bootable kernel no matter what I did w/ CentOS (and yes, I did load the CentOS .config file into menuconfig before compiling my kernel.)

  Come to find out, because CentOS is using a modified 2.6.18 kernel that little .config file is very out dated. As of kernel 2.6.31 a new kernel parameter is available called “enable deprecated sysfs features to support old userspace tools” which is under the General setup area. Once I enabled that option, I was good to go. It has something to do with why my SAS RAID card wasn’t getting picked up upon boot up. Everything else after that was a piece of cake!

You could have also just added this to your .config file. (NOTE: Hats off to Vanecka!)
CONFIG_SYSFS_DEPRECATED_V2=y

Couple Kernel compile links for CentOS 5:

http://wiki.centos.org/HowTos/Custom_Kernel  (official CentOS wiki kernel build page)
http://www.howtoforge.com/kernel_compilation_centos_p2  (HowtoForge article)
http://kerneltrap.org/node/1783 (Old kernel trap article which mentions the use of -j8 for make parameters so you’ll use all of your cores on compiles! I did a ‘make -j8 all’ and finished my kernel compile in under 5 minutes on a Xenon E5620 CPU!)
http://www.linuxfromscratch.org/lfs/view/6.4/chapter08/kernel.html (LFS link on kernel compile)

So I’m playing around w/ a SAN for home use. We’ve virtualized about 80% of our infrastructure at work but most of our VM hosts are standalone with local storage only. So, I’m spending a lot of time at home recently building a SAN on OpenSUSE 11.3 with high hopes of getting iSCSI to play nice. Part of this equation is getting another box to run vCenter Server which will need access to the iSCSI LUNs the VM hosts see.

Hence the title. Windows has a utility called Diskpart.exe which will allow you to turn off auto mount BEFORE you connect your Windows’ iSCSI initiator to your iSCSI target.

Open up a command prompt and type:

C:\Users\yournamehere>diskpart


Once you’re in the diskpart tool, type ‘automount’.

DISKPART> automount
Automatic mounting of new volumes enabled.

Then finally, ‘automount disable’.


DISKPART> automount disable
Automatic mounting of new volumes disabled.

This will keep your OS from trying to mount your iSCSI volume and mess with your VMFS partition!

Keep in mind, this means any new volumes your system sees will need to be mounted manually w/in the disk partitioning tool.

While you’re in there, type just a ‘?’ and see the whole list of commands you can play with. See the Microsoft KB article below for a more thorough introduction!

http://support.microsoft.com/kb/300415

I do a lot of virtualization both at home and at work. Several times I’ve needed a way to extend the activation period of Window 7 because I’m not done w/ a project.

Enter Windows Software Licensing Management Tool.

If you open up a command prompt by right clicking it and selecting, “Run as administrator” you can run the slmgr.vbs command such as…


C:\Users\yournamehere>slmgr /rearm


This can buy you some valuable time before you delete that VM and start on something else. This command ‘rearms’ the activation period and I believe you can do it for a total of 3 times before it stops working. Also, try adding a /? on the end to see a handy dialog box w/ the other available options.

I’ve always been a big fan of keeping my fingers on the keys versus using a mouse to get things done. I think everyone learns the clipboard hotkeys first before picking up others but even I learn a few new ones from time to time. That having been said, here’s a couple new ones that came out w/ Windows 7|Vista I’ve been enjoying.

• Win + Up arrow: Will maxamize your currently active window.
• Win + Down arrow: This will minimize the current window unless it’s maxamized, then it will simply restore it.
• Win + T: This will allow you to preview items on your taskbar. Just hit enter for it to get focus.

A couple of my day to day favs aren’t new to Windows 7 but they are:

• Win + E: This will open up Explorer view for browsing your system. This has got to be the one I use most often.
• Win + D: This does a “Show Desktop” which is very useful for when things start to get a tad bit cluttered.
• Win + R: This brings up the “Run” dialog box which is handy for those times you need to run something quickly.
• Win + L: Probably my all time favorite. This will lock your screen so the interns won’t mess with your system!

Here’s a couple URLs w/ more information:

http://lifehacker.com/5132073/the-best-new-windows-7-keyboard-shortcuts

http://support.microsoft.com/kb/126449

http://lifehacker.com/5390086/the-master-list-of-new-windows-7-shortcuts