Archive for January, 2014

The major pitfall when you manage (start, stop, etc) remote service in Windows XP

Wednesday, January 29th, 2014

I literally spent almost 2 hours googling around for this issue.

“error 5: access denied”

No matter if I use sc.exe, the mmc snapin, sysinternals tools, etc. I get the same error. And it took me this much to find this gem referenced on some forum/whatever:
https://groups.google.com/forum/#!msg/microsoft.public.scripting.wsh/r0GXUNHlVBs/YormuJCEOtwJ

So the problem with WinXP Pro, by default, when in a WORKGROUP is that it’s FORCE GUEST on.
That means that every user connecting to it’s services, is authenticated as guest. And guest has no business managing services.

Now people say that there is no solution for this in WinXP Home and for WinXP Pro one should edit the local policies or registry as explained in that article above.

However, but I cannot verify on WinXp HOME, I believe that by putting the Guest user in the administrators account you should be able to get the same effect. This is working (tested) on WinXP PRO !!!
Of course, the implications of such a bold move must be carefully weighed because there are a lot of assumptions made in the system about the Guest account and a lot of things will be affected, but taken the security issue aside, this is COOL 🙂

Ok, so there you go, covering both pro and home editions. Use it at your own risk.

Related posts

The traps of buying online hardware from other countries

Wednesday, January 22nd, 2014

So I bought a StarTech 1 port PCI Express eSATA II Controller Card to use in my ESXi to passthrough to my fileserver and connect an internal HDD to it.
Everything is nice, the card works fine in windows but not in linux (which my file server is). I get
FATAL: Error inserting si3531r5 (/lib/modules/2.6.32-358.11.1.el6.x86_64/kernel/drivers/scsi/si3531r5.ko): Invalid module format
and dmesg shows:

si3531r5: version magic '2.6.9-22.ELsmp SMP gcc-3.4' should be '2.6.32-358.11.1.el6.x86_64 SMP mod_unload modversions '

This is as expected since my kernel grew/matured over the years unlike their drivers.
So I go about contacting their support, asking for code or updated drivers. They route me to silicon image for this issue because

Unfortunately when it comes to the source code for these cards, that code is owned by Silicon Image and if we had the source code ourselves, we would still most likely not be at liberty to hand it out. We supply the driver on the website which is designed for getting this card installed and working in most environments.

now, that’s silly, since in the linux world, kernels get new versions all the time so it’s pretty much impossible to keep a system outdated for 4-5 years just so an expansion card can be used in it. It’s just stupid.

So I go to silicon image site, and check for drivers. What do you know:

End-Users: Silicon Image does NOT support End-Users directly. Silicon Image designs and develops chips for manufacturers. These manufacturers develop their own drivers, firmware and software for their boards. Silicon Image does not have information or access to the Drivers, Software or boards that these manufacturers create and sell. We typically assist these manufacturers when they have problems with our chips. End-Users should contact product manufacturer of the board for technical support.

In RED.

Call me stupid, but startech support appears to be living on another planet. They tell me to return the card. Right. Overseas?

Related posts

Troubleshooting NFS

Monday, January 6th, 2014

Every now and then I have issues with my NFS setup, server-side or client-side. And since I don’t usually handle NFS all that often, I always forget how to solve it and end up wasting a ton of time debugging and searching and stuff.

SO I finally, seconds before posting a long question on serverfault.com, managed to pin it down once again.

So, long story short:
– pretty much most of the problems regarding NFS come from firewall: server-side, client-side and/or router-side. So make sure to disable them all and see if that works. If it does, I’ll explain later how to make it work with your firewall enabled as well
– then, there are NFS server and NFS client configuration issues. There are plenty of how-tos out there for this

So how to troubleshoot a firewall/iptables issue? The most common flag for this problem is “connection timeout”. If you get it, it’s most likely a firewall/routing issue.

What I just did now, in my case, is to set up my firewall rules such a way that all drops are going to a special “mydrop” target, in which I drop everything.
Then, I have some scripts made which cancels, restores and enables logging in the firewall.
The logging script will cancel the firewall, then restore it (this cleans up stuff) then it adds logging like:

iptables -I mydrop -m limit --limit 2/sec -j LOG --log-prefix "IPTables-dropped: " --log-level 4 --log-tcp-options --log-ip-options

then, in another console, I do

tail -f /var/log/messages

and in the first one I start the mount/showmount/rpcinfo commands and check the tail log to see what packets are being dropped.
Then I make rules for those packets.

Now, in my personal case, I set up my NFS server to have static/dedicated ports (there are how-tos out there on how to do it, I won’t go over them here).
So, on a tight firewalled linux machine, the iptables rules for NFS client would look like this

# nfs client
-A services -s 192.168.1.4 -p tcp --sport 111 -j ACCEPT
-A services -s 192.168.1.4 -p tcp --sport 892 -j ACCEPT
-A services -s 192.168.1.4 -p tcp --sport 2049 -j ACCEPT
-A services -s 127.0.0.1 -d 127.0.0.1 -p udp --dport 111 -j ACCEPT
-A services -s 127.0.0.1 -d 127.0.0.1 -p udp --sport 111 -j ACCEPT

“services” in this context is a dedicated target for my used services (usually server/daemon stuff, but also client stuff when needed, like this scenario).
Note: 192.168.1.4 is my NFS server.

Then, on server side I have this
# nfs server
-A services -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A services -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT

the rules with INPUT I have copied from another blog/site, which I can’t recall now. At the time I get these, I didn’t think about the logging idea I just wrote about, and I don’t want to kill all my machines to test it so I can figure out exactly what rules to put there.

Anyway, I hope this logging idea will help someone save some hours.

Related posts

Experts-Exchange: going at it, again

Saturday, January 4th, 2014

As mentioned earlier, I’ve got congratulated on becoming a designated expert on 2 sections: http://blog.ciuly.com/?p=817
Today, they did it again. For the same 2 sections 🙂

time for another email to their support (the first time I didn’t mail them, I was hoping it was a one time slip).

Related posts

Windows XP: this file came from another computer and might be blocked

Friday, January 3rd, 2014

I thought I’ve seen them all in WinXP. So I got bumped today with not being able to access a file over a share on another computer on the local network. I hit the file properties and saw the message in the title.
Small googling, turned up to suggest it may be some zone information IE browser would set when you download a file. Some suggest using streams.exe from sysinternals to delete the extra data stream of the file.

Indeed, that solves it. But I am not one of those that just blindly deletes stuff, so before I deleted, I made sure to peek at what info I was about to delete. And it looks like this:
c:\path\DigiSign_eToken_PKI_Client_x32.msi:
:Zone.Identifier:$DATA 26

looks safe to delete. so just proceed. If you get anything else, make sure you are safe to delete it before you do it.

Related posts

Apache on linux: Could not open configuration file Permission denied

Thursday, January 2nd, 2014

I don’t do configuration every day so some things elude me. Especially when selinux is involved.

So this happened to me the other day when I setup a new web site on my server and as usual, I added a config file for it. Immediately after reloading apache, I got the Permission Denied error when reading the config file for the newly created default.conf file.

Took some googling to get to the bottom of it:

(just to confirm it’s selinux)
[root@localhost conf]# sestatus
SELinux status: enabled

[root@localhost conf]# [root@localhost sites]# ls -Z
-rw-r–r– root root root:object_r:default_t default.conf
-rw-r–r– root root root:object_r:httpd_config_t site1.conf
-rw-r–r– root root root:object_r:httpd_config_t site2.conf

[root@localhost sites]# chcon -t httpd_config_t default.conf

[root@localhost sites]# ls -Z
-rw-r–r– root root root:object_r:httpd_config_t default.conf
-rw-r–r– root root root:object_r:httpd_config_t site1.conf
-rw-r–r– root root root:object_r:httpd_config_t site2.conf

Same goes on the site folders and files.

And it’s all good now. I’ll probably make some script to create these things automatically so I won’t have to deal with these issues every other year when I decide to put up a new site.

Related posts

CentOS modulez.cgz

Thursday, January 2nd, 2014

So I was trying to install startech 1 port PCI Express eSATA II Controller Card in one of my linux servers and according to the included readme/manual, one would do:
modules.cgz | gunzip | cpio -ivH crc
as one of the first steps to copy out the proper files for the current kernel.
Unfortunately, there are a few issues with the zip file you download from their site:
1. – the executable files are not executable (the bit is not set) so one must chmod +x on them
2. – the command above fails with
-bash: modules.cgz: command not found

So after googling a bit, I found that one should do:
gunzip < modules.cgz | cpio -ivH crc That takes care of that issue. The next problem I bumped into was that the "copy the modules.cgz to a destination directory" instruction was not clear enough. We're not talking about any destinations here. The problem started from the insmod call, which would report that insmod: can't read 'si3531r5': No such file or directory same for insmod: can't read 'si3531r5.ko': No such file or directory even when copying into /lib/modules/`uname -r`/kernel/drivers/scsi/ which seemed the logical thing to do Then it hit me: there's a list of modules that are loaded, which was not updated. so I echo kernel/drivers/scsi/si3531r5.ko >>/lib/modules/`uname -r`/modules.dep
and then
depmod -a

and finally, I did
modprobe si3531r5
which, obviously, failed:
FATAL: Error inserting si3531r5 (/lib/modules/2.6.32-358.11.1.el6.x86_64/kernel/drivers/scsi/si3531r5.ko): Invalid module format

so I hit dmesg which shows:
si3531r5: version magic ‘2.6.9-22.ELsmp SMP gcc-3.4’ should be ‘2.6.32-358.11.1.el6.x86_64 SMP mod_unload modversions ‘

Trying to find sources for the driver in order to recompile it, failed. Nothing, nowhere.

So, it is time to appeal to their technical support. Hopefully, it will be a positive experience.

Related posts