Up to Something

If you have to work in networks with any Windows products, coupled with MSDE or SQL Express you will eventually run into memory consumption problems. Apparently no GUI interface deals with it. I have seen numerous complaints on the Internet for sqlservr.exe consuming loads of memory. Some psychos recommend “uninstalling and re SBS Diva has a great article which I will here condense:

osql is the command-line tool for monkeying with MS-SQL200*.

c:\> osql -E -S MYSERVER\instancename
1>

So, first add the “Process ID” column to Task Manager. Note the PID of the offending SQL process. Next, open command prompt, and run tasklist /svc. Locate the PID matching the process, and find the name you want:

sqlservr.exe                  1972 MSSQL$SBSMONITORING
sqlservr.exe                  2020 MSSQL$SHAREPOINT

The part after the ‘$’ is the instancename. (Hopefully you already know your machinename.)

Once you have the instance, run osql as shown above.

c:\> osql -E -S MYSERVER\instancename
1> sp_configure 'max server memory',128
2> reconfigure with override
3> go

max server memory: this option is in megabytes. This will change the ‘MSSQL$INSTANCENAME’ to operate at 128 Megabytes. (When set this way, most of my instances reported between 160M and 180M when in use.)

Notes

It’s simple to list all of the configured parameters for the server, simply load osql, as shown above, and run:

1> sp_configure 'show advanced options',1
2> reconfigure
3> go
1> sp_configure
2> go

That will dump all the configured options. It of course enabled advanced options.

I hate Apache. I really do. I refuse to vindicate that hatred. There are great aspects about it, but the things I want to do are hampered by things like the sewer-refuse-styled configuration syntax.

I like Nginx. It is fast, simple, and is amazing. It does proxy, reverse proxy, rewrite, ssl, and everything else. Cliff Wells cooked up a wiki. As linked before, it cleans up when facing off with Apache, Pound, Lighttpd, etc. It has all the core features that sane people need.

I just wrote a recipie for Trac + Nginx over at Edgewall. Trac + Nginx + PostgreSQL Kicks ass.

Note: I still use Apache for moddavsvn, and a mod_python only application. (But that will be fixed soon enough). SVN is another question entirely.

One problem that I have frequently is remembering how to list NFS exports on a remote server. It’s really simple:

showmount

osXlt:~ joshua$ showmount -a gambit
All mount points on gambit:
osXlt:~ joshua$ showmount -a forge
All mount points on forge:
*:/data
*,bubbles.mynetwork.com:/data
*,bubbles.mynetwork.com:/usr/portage
*,mdd.mynetwork.com:/data
*,shelob.mynetwork.com:/data
*,shelob.mynetwork.com:/home
*,shelob.mynetwork.com:/usr/portage
*,thrall.mynetwork.com:/data
*,thrall.mynetwork.com:/home

It’s simple. I just keep forgetting. Score one for perpetuity.

Task: Upgrade Symantec Antivirus for Microsoft Exchange.
Diffculty: Symantec Continues to Suck.

Despite a clear desire to escape from these things it can be difficult. Todays installment brought a new error: “Please Insert Disk 1”. Despite all my best attempts, I could not divine what disk ‘1’ was/is.

After much searching, I finally found a link reporting that this bug was fixed - ??? - and it was related to “Installing MSE gateway from removable media”. Since I couldn’t find a download link, or other way to update, I copied the entire install directory to my c:\ drive, and viola! It works. Yay!

This is a simple, but cool, recipe for querying Exchange from Postfix. This is used with a Windows 2003 Small Business Server, running (s)Exchange 2003.

We don’t often use this, because of the obvious problem of being unable to receive mail when Exchange crashes or must be rebooted. It is nice though, and a straight forward solution.

exchange_map.cf

bind_dn          = cn=Spamfilter User,cn=Users,dc=MySBS,dc=org
bind_pw          = kill$pam
scope            = sub
search_base      = dc=MySBS,dc=org
server_host      = ldaps://Server.MySBS.org:636
start_tls        = no
version          = 3
result_attribute = mail
query_filter     = (&(objectClass=user)(|(mail=%s)(proxyAddresses=SMTP:%s)))

test

firewall postfix #  postmap -q kelly@MySBS.org ldap:/etc/postfix/exchange_map.cf
kelly@MySBS.org
firewall postfix #  postmap -q fakeuser@MySBS.org ldap:/etc/postfix/exchange_map.cf
firewall postfix #  postmap -q joshua@imrnet.com ldap:/etc/postfix/exchange_map.cf

main.cf

.....
relay_recipient_maps  =  ldap:/etc/postfix/exchange_map.cf
.....

So, Kelly exists, but fakeuser, and Joshua are (mysteriously) absent.

Everyone wants to know what to do with Postfix. I have tried to find a way to publish something. Everyone who does seems to always be out of date.

Not so for this guy or that guy.

My own private war is with my habits. So often when testing web services, I will setup a name in /etc/hosts allowing a quick and dirty approach to debugging, test, or whatever.

I use kerberos and this is a problem, considering that I added this:

198.145.247.218   test.asylumware.com

When you connect to a kerberized host with SSH, the Kerb client does a PTR lookup on the forward resolved IP address. This name is 'who' it will look for a ticket from when connecting.

After months of work, suddenly I could not longer auth via kerberos. I couldn't see the problem, and I couldn't remember where to look. "ssh -v menionus@embassy.asylumware.com" reveals 'Server Not Found in Kerberos Database', and it's freaky, puzzling and can be depressing. Always look in the KDC log, it will show the violating requests.

root@embassy # cat krb5kdc.log |grep -i 'server not found'
Jul 26 14:56:04 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database
Jul 26 14:56:45 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database
Jul 26 14:56:45 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database

Here is the hack to avoid the problem.

198.145.247.218 embassy.asylumware.com testserver.myplace.com otherserver.myplace.com

Problem Solved. =)

A growing number of small businesses are using Blackberry handhelds. Microsofts services haven't taken off as strong, but in a year or two I suspect Microsofts products will be kings of the market.

For now, we have a wide range of Blackberry services. Most of my clients use the Blackberry Enterprise Server (BES) with Exchange. It's terribly expensive, the entire operation works nicely and people like it.

Some of my customers use SMTP + POP3, and one in particular uses this with a Postfix based spamfilter.

Postfix uses SPF (policy-spf.pl) and that, in turn, depends on internal SPF records to help reduce spoofing of addresses. Naturally sending from the Blackberry creates a bounce. We fianlly figured out how to set this up with SPF. It was a simple change:

Old Record

v=spf1 a mx mx:spamfilter.domain.com mx:gw.domain.com mx:gw1.domaim.com 
ip4:10.1.1.0/24 a:server.otherdomain.com -all

New Record

v=spf1 a mx mx:spamfilter.domain.com mx:gw.domain.com mx:gw1.domaim.com 
ip4:10.1.1.0/24 a:server.otherdomain.com ?ptr:blackberry.com -all

See? Just add the "?ptr:blackberry.com", and boom - all is good.

Cisco VPN concentrators are a regular occurrence in the field. They can be the bane of your life. However, there is one simple change to enable these to consistently work with multiple policy routed subnets.

In your /etc/ipsec.conf use set the policy level to 'unique' instead of 'require'.

The entries in /etc/ipsec.conf are fully covered in the ipsec.conf man pages, and online at various locations. Google and find. My focus is the 'policy-level', the last value in the spdadd string. I have only ever seen it set to 'require', but recently I discovered the 'unique' as well as the 'unique:<1-32768>'. This allows for negotiating Phase2 crypto per-policy, or per-group. (unique:). Here is my example of a config which works with a large Cisco VPN concentrator.

Consider this policy file:

/etc/ipsec.conf

#### Tunnel: CheeseSteak Club
  spdadd 88.88.30.231       192.168.1.240/28 any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 192.168.1.240/28   88.88.30.231     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

  spdadd 99.99.0.0/16       192.168.1.240/28 any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 192.168.1.240/28   99.99.0.0/16     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

  spdadd 99.99.0.0/16       66.66.177.102    any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 66.66.177.102      99.99.0.0/16     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

#### Tunnel: Guinness Brewery Concentrator
  spdadd 44.44.82.31         192.168.1.0/24  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          44.44.82.31 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

 ## Main Net (ireland)
  spdadd 10.1.30.205          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.1.30.205 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.1.30.205          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.1.30.205         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Mainland Dist. Net (America: New York)
  spdadd 10.1.30.210          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.1.30.210 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.1.30.210          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.1.30.210         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Western Region Sales (America: Seattle, Wa)
  spdadd 10.2.30.200          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.2.30.200 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.2.30.200          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.2.30.200         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Backup Network (America: Cheyenne, WY)
  spdadd 172.16.106.10        192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24       172.16.106.10  any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

My esteemed colleague Pacopablo has created a Howto on using Postfix with SMTPAUTH. Now, he can relay via his ISP, bypassing certain mail server restrictions due to having a dynamic IP address.