6December2011
Posted by Michele Baldessari under: en; tech.
I clearly lied about on my previous post about being the last Microsoft-based post. Here’s what I did to check all our forwarders in our forest:
$domain = "corp.local"
$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$dc_list = $myforest.Sites | % { $_.Servers } | Select Name
foreach ($dc in $dc_list) {
$DCName = $dc.Name
$Server = Get-WMIObject -Computer $DCName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Server"
$Forwarders = $Server.Forwarders
Write-Host $DCName ":" $Forwarders
}
28November2011
Posted by Michele Baldessari under: en; tech.
This will be likely one of my last Windows posts (more on that later). At work we did upgrade our OCS Server to Lync. Besides the annoyance of changing product name every two releases, this new version removed the possibility that existed in OCS to provision the contact groups for the ocs client. It was a WMI interface and it was quite handy.
Especially in cases where the rollout is not company-wide and users aren’t sure who has Lync and who doesn’t, having groups provisioned administratively is very handy. So I spent a couple of evenings solving this topic and it turned out that it’s not really *that* difficult 
After poking a bit in the DB I noticed some handy stored procedures that would be quite handy. So I cooked up a script that takes a folder and for every csv file stored in that folder (one samaccount per line), it creates a group named as the file and it populates it with the users contained in that file. I.e.: the file IT-Dept.csv that contains users jon123 and joe456, will create a group called “IT-Dept” which contains both users and only for those two users.
Disclaimer: this script is still buggy, it’s coded horrendously and it’s a very quick hack. Backup your db before toying with it. I won’t have time to clean it up or refine it so feel free to tweak it, put it on github etc
Here it is: sync-lync-rosters.ps1
12September2011
Posted by Michele Baldessari under: en; tech.
I need to check among all issued certificates from a Microsoft PKI if there is a disabled or non valid Active Directory account. Since powershell seems to be the future for scripting on Microsoft platform, I cooked up the following script: check-ad-pki.ps1 It uses the powershell PKI module which can be found here.
It’s my first stab at something with powershell, so I do appreciate any feedback on this. If anyone has better approaches to check the issue of certificates for a user that is now disabled or expired, that would be cool too
8September2011
Posted by Michele Baldessari under: en; tech.
It’s the month of nagios checks I guess.. I needed to monitor the status of the HA Fortigate clusters we have around the world. There is a very rudimentary plugin on the nagios exchange site, but it is a perl script that forks another perl script a bunch of times and I already have 600 hosts and more than a thousand services, so I thought I’d implement something a bit cleaner in python
The only documentation on the Fortigate HA Mibs I was able to find is here: http://www.oidview.com/mibs/12356/FORTINET-MIB-280.html
Interestingly enough the OID that contains the names of the nodes in the cluster (SNMPv2-SMI::enterprises.12356.1.100.6.1.11.) is nowhere mentioned there. The standard Fortigate cluster is a fairly strange beast in the sense that there is only one ip address (no physical ip’s plus the virtual one like in most clusters) and the firewalls exchange all the configuration and info through multicast on a separate link. That’s why the first time the script runs it stores the names and the serial numbers of the nodes in a file and then checks that the order is the same in its subsequent runs.
Here is the script: fortinet-ha.py
I didn’t add any snmp v1 or snmp v3 support as I have no time at the moment, but that should be quite trivial to add.
5September2011
Posted by Michele Baldessari under: en; tech.
Long time no blog. As a note to myself, so I won’t forget anymore:
When you pull a full disk image (sda.disk) with dd and it contains more than one partition just do the following (multiply times 512 bytes the sector start, mount will figure the rest out by itself):
bazz:/mnt/ntfs/# sfdisk -l -uS sda.disk
Disk sda.disk: cannot get geometry
Disk sda.disk: 9729 cylinders, 255 heads, 63 sectors/track
Units = sectors of 512 bytes, counting from 0
Device Boot Start End #sectors Id System
sda.disk1 63 156296384 156296322 7 HPFS/NTFS
sda.disk2 * 19438650 19470779 32130 e W95 FAT16 (LBA)
start: (c,h,s) expected (1023,254,63) found (1023,0,1)
sda.disk3 0 - 0 0 Empty
sda.disk4 0 - 0 0 Empty
bazz:/mnt/ntfs/# mount -oloop,offset=$(echo "63*512" | bc) sda.disk /mnt/foo
15January2011
Posted by Michele Baldessari under: en; tech.
If you want to use the green sql firewall with mediawiki, you’ll need a small patch that disables the SQL comments in every query:
diff -up ./includes/db/Database.php.orig ./includes/db/Database.php
--- ./includes/db/Database.php.orig 2011-01-15 20:31:07.000000000 +0100
+++ ./includes/db/Database.php 2011-01-15 20:31:48.000000000 +0100
@@ -473,19 +473,19 @@ abstract class DatabaseBase {
# Add a comment for easy SHOW PROCESSLIST interpretation
#if ( $fname ) {
- global $wgUser;
- if ( is_object( $wgUser ) && !($wgUser instanceof StubObject) ) {
- $userName = $wgUser->getName();
- if ( mb_strlen( $userName ) > 15 ) {
- $userName = mb_substr( $userName, 0, 15 ) . '...';
- }
- $userName = str_replace( '/', '', $userName );
- } else {
- $userName = '';
- }
- $commentedSql = preg_replace('/\s/', " /* $fname $userName */ ", $sql, 1);
+ # global $wgUser;
+ # if ( is_object( $wgUser ) && !($wgUser instanceof StubObject) ) {
+ # $userName = $wgUser->getName();
+ # if ( mb_strlen( $userName ) > 15 ) {
+ # $userName = mb_substr( $userName, 0, 15 ) . '...';
+ # }
+ # $userName = str_replace( '/', '', $userName );
+ # } else {
+ # $userName = '';
+ # }
+ # # $commentedSql = preg_replace('/\s/', " /* $fname $userName */ ", $sql, 1);
#} else {
- # $commentedSql = $sql;
+ $commentedSql = $sql;
#}
# If DBO_TRX is set, start a transaction
11January2011
Posted by Michele Baldessari under: en; tech.
When printing to a PDF file in Firefox gives horrible and broken spacing between characters, disable autohinting in your ~/.fonts.conf and restart it :
<match target="font" >
<edit mode="assign" name="hintstyle" >
<const>hintnone</const>
</edit>
</match>
The problem is known in the Firefox community but it’s not solved. This is especially useful if you use mozilla2ps in Xvfb on your server and the problem is noticeable.
1January2011
Posted by Michele Baldessari under: en; tech.
Here’s a different approach to check your PKI’s crl than the one existing on the nagios plugins website. I rewrote it in python in order to be able to fetch CRLs from a web server: http://acksyn.org/files/check_crl.py
Note:
Updated it to python3 and with correct exit codes. Not too tested still.
20October2010
Posted by Michele Baldessari under: en; tech.
During my summer holidays I started reading up a bit in IPv6. Partly out of sheer curiosity and partly because in 2011 the real fun will start. I started reading the excellent “Running IPv6” book by Apress. I can heartily recommend this book: practical, detailed and with a lot of background information on the choices that have been made during the IETF IPv6 standardization processes.
After having read a few chapters, I needed to get my feet wet with IPv6 and so I went for the hunt for an IPv6 tunnel broker… First I checked if my current ISP (Telecom Italia..[sic]) had something available. Apparently, they had a project called ngnet.it going on for their ipv6 testbed, but their site seems to be down so I presume that it has been discontinued. The choice came down to SixXS and Hurricane Electric. I chose Hurricane Electric because they seemed less intrusive with the registration process. The setup was trivial and everything was up and running quite smoothly.
The only hiccup was to remember to clamp the mss to the mtu also with ip6tables and not only with iptables. Once I figured that out the whole IPv6 experience was pretty smooth:
ip6tables -t mangle -A FORWARD -o hurricane -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1250:1536 -j TCPMSS --clamp-mss-to-mtu
Setting up IPv6 connectivity on my server was trivial since no IPv6-in-IPv4 tunnels were needed. A couple of AAAA records and Imap, Dns, Ssh and Http were working without any problems at all.
Just for the fun of it I took their quiz
9October2010
Posted by Michele Baldessari under: en; life; tech.
So after about 10 years of using the pupazzo.org, I decided it was time for a change. I did not like the domain name any longer. That’s why I switched to the new acksyn.org name. With this change I completely changed the mail server setup and moved to dovecot and postfix with virtual users mapped to system users. I still need to fix a couple of things here and there, but most of the services should be in place.
I will still be reading my mail to the old domain for some time, but please use the new one if you read this.
As an added bonus smtp, www and imap are now reachable via IPv6 