blog.scottlowe.org

As attested by the fact that you are reading this, my new weblog server running WordPress 1.5.2 is now up and running.  WordPress will give me more functionality than I had at Blogger, and the freedom to customize my weblog more deeply than I could before.

Technorati Tags: Blogging

It looks like things will work out next week that I’ll be able to post some additional information on some technologies I’ve mentioned recently.

First up will be access-based enumeration.  One of my customers is planning on using this technology and we need to make sure that the potential performance impacts mentioned by Microsoft aren’t going to be a deal-breaker.  So, once I have some additional information, I’ll post it here.

Next will be the XC Connect software I mentioned a few posts back.  I just finished downloading the Linux version of the XC Connect server software, and hope to have that installed on a CentOS system soon for testing.  Again, after some testing with the product, I’ll post more information here.

Technorati Tags: Linux, Microsoft

As technical people, we often immerse ourselves in our work to a far greater extent than people in other fields do.  Why?  I would imagine that most people, like myself, find this field to be as much of a hobby as it is a career.  Sometimes, that’s fine, as it gives us the necessary technical edge to excel in a highly competitive arena.

But sometimes we take it too far.  As I was driving to work this morning, the song “American Dream” by Casting Crowns (great Christian rock group, by the way; see their web site) started playing.  Listening to the song’s lyrics, I was reminded of the real priorities in life (all lyrics copyrighted by Casting Crowns):

“Not this time son I’ve no time to waste
Maybe tomorrow we’ll have time to play
And then he slips into his new BMW
And drives farther and farther and farther away

So he works all day and tries to sleep at night
He says things will get better;
Better in time”

How many times have we worked late to finish up that “important project”?  You know, the one that just couldn’t wait until tomorrow?  Too many times.  Of course, this isn’t the first time this song has spoken to my heart; I’ve been a fan of Casting Crowns from practically Day One, and this song has always been a powerful one.  I thank God that I realized my priorities were wrong years ago, and started putting God and my family first.  I say that not to lift myself up or to speak highly of myself, but to give God the glory.  To the rest of you techies out there, take note:  It is possible to be successful in this field without sacrificing what really matters in life.

Technorati Tags: Christianity, Personal

While browsing the Apple site for some birthday gift ideas (my birthday is coming up soon and my wife needs some gift ideas; she says I’m impossible to shop for), I came across a link to a product called XC Connect.

I was curious, so I followed the link and found a piece of software that, if it works as well as it claims, could be an incredible help.  At my office, we use a proprietary messaging system that doesn’t play so well with my PowerBook and Mac OS X.  I’ve managed to do reasonably well so far, using third-party tools to push my iCal and Address Book data into this back-end system.  XC Connect promises to change all that.  Using a Java application deployed on a server (Linux, Windows, or Mac OS X) along with a small client application, XCConnect promises to enable sharing of data between Windows/Outlook, Mac OS X/iCal/Address Book/Entourage, and Linux/Evolution.  And it will do this with an encrypted connection between client and server.

There’s a free evaluation copy available from the web site, and I can create a Linux server to test it on.  Why not?  If the application bombs, then I’ve only lost some time; if the application rocks, then I’ve found a whole new way of sharing data with my co-workers.  I’ll let you know what the verdict is.

Technorati Tags: Linux, Macintosh, Microsoft

So I’ve been working with CentOS, the “free as in free beer” equivalent of Red Hat Enterprise Linux, and for the most part I like it.  (See here for some additional comments about CentOS 4.1.)  However, I’ve run into this strange problem with NTPd.

The problem is it doesn’t work.  Yes, I’ve added the appropriate rules in iptables.  Yes, the NTPd daemon is running.  Yes, I’ve checked connectivity to the time server with which I am trying to synchronize.  The ntpdate utility works like a champ, but NTPd just won’t keep the server’s time synchronized.  OK, am I missing something here?  I have OpenBSD and Red Hat Linux 9.0 servers that synchronize just fine, but not this server.

Finally, fed up with the problems, I just scheduled an hourly cron job with ntpdate.  It’s not ideal, but it works.

Technorati Tags: Linux, Networking

I came across a funky Active Directory issue today.  User objects stored in an OU on which permissions had been assigned were “losing” their permissions and their inheritance from the parent OU.  For example, if the group “Support Team” had been granted a set of permissions on the OU “Sales”, then the user object “Bob Jones” stored in that OU would lose those permissions regularly.  Even when the permissions were reassigned, they would disappear again.

It turns out that if the user object is a member, directly or indirectly, of a “protected group” (such as Server Operators, Backup Operators, or Administrators), then Active Directory automatically removes any inherited permissions, resets those permissions to the default, and turns off inheritance for those objects.  The idea is to prevent possible elevation of privileges.  This behavior is described in this KB article.

The fix?  Well, you can muck around in Active Directory and play with the adminSDHolder object, or you can just not worry about delegations on those user objects, or you can remove those user objects from the protected group in question.  In my particular case, the user objects needed to be taken out of the protected group anyway, so that was a natural fit.

Keep this in mind when planning AD delegations and the placement of accounts that will be members of a protected group.

I posted a write-up of my Active Directory-Linux integration as a technical document on the Mercurion Systems web site.  You can find the document in the Downloads area.  I hope it proves useful to someone.

Technorati Tags: Linux, Microsoft

As a follow-up to this posting on access-based enumeration, I wanted to post information from some testing I performed earlier this week.  I installed access-based enumeration (ABE) on a server running Windows Server 2003 SP1 (the only version of Windows on which it is supported).  It does what it advertises; when a non-administrative user connects to a shared folder on which ABE is enabled, they see only those folders to which he or she has permission.

There are some limitations.  Administrative users are not affected in any way.  ABE only works for network access; users accessing the filesystem locally are not affected.  This makes ABE unsuitable for use on terminal servers.  Additionally, ABE is enabled or disabled on a share-by-share basis, and while it is possible to turn ABE on or off for all shares at a time there is no provision for setting ABE on by default for new shares.  Finally, ABE can negatively impact performance, especially for shared folders with large numbers of files.

I’m kind of split on this one.  On the one hand, it’s really good functionality that will dramatically change the way system administrators approach Windows-based file servers.  On the other hand, the potential performance drawbacks of ABE are concerning.

If you are running file servers on Windows Server 2003 with Service Pack 1 installed, you owe it to yourself to at least evaluate ABE.  You may find that it doesn’t work for your network, but then again you may find that you don’t want to go on without the added functionality that ABE brings to the table.

Mentioned earlier in this posting, Novell’s OpenSuSE site is now up and running, offering free downloads of SuSE 9.3 and beta versions of SuSE 10.0.  I hope that Novell is as successful with OpenSuSE as Red Hat was with Fedora.  I may just give SuSE 9.3 a try to see if I like it.

Technorati Tags: Linux, Novell

…but SSL is not so easy.  I found a workaround for using Stunnel; in order for INN to not think it’s another news server feeding it information and instead treat it like a reader, I had to alias another IP address and bind Stunnel on that IP address.  It works, but it’s not my ideal solution.

To further complicate matters, it looks like I’ll have to compile INN from source myself in order to get SSL support in nnrpd (that’s the component that handles connections from NNTP readers).  It’s not a big deal, I know.  It’s just my history compiling from source has been a bit rocky.

Technorati Tags: Newsgroups, OSS, SSL