Spent some time this afternoon finalizing plans for EAV with Brad.
Seems like a pretty decent system, and I got him some code for doing getpwnam/getpwuid functions in LDAP instead so that we can be FERPA-compliant in EAV (once LDAP is FERPA-compliant).
I just stopped by the Dennis Mac lab, and it seems that the LDAP indexing I did back here may have helped things out on the Macs as well.
It used to take 30 seconds or so to log in, at least (I never specifically timed it, except under heavy LDAP failure conditions, where it could take 2 minutes). At this point it takes 6 seconds to get from pressing return at the login prompt to a stable desktop, even on a machine just awoken from sleep. Not bad, I’d say.
I tweaked the Apache config on the monitor box until I got SSL working properly.
I want SSL forced (redirected via mod_rewrite) on the NAGIOS portion of the server, but not on the Cricket portion. The right thing turns out to be a RewrtieRule that looks like this:
RewriteRule ^/nagios(.*)$ https://%{SERVER_NAME}/nagios$1 [R=permanent,L]
Such that it only catches for the /nagios location. Putting it inside a Location directive doesn’t work.
This brought out some peculiarities of SHANTI.
Mainly being the problem with soft updates on the root partition, which I’ve known about for a long time. I’ve made a few more timing modifications to the account.pl part of ecs-usermgr, so we should hopefully be slightly more immune to this in the future. Nevertheless, I suspect that batch creations and deletions should be split(1) into files of no more than 50-75 accounts each.
Finally figured out the right magic fairy dust to sprinkle of Samba 3 to make Domain Admins work.
Apparently all the domain member systems still think that RID 512 is in the Administrators group, so the trick was to convince Samba 3 that RID 512 should be applied to the old Unix group that we had for domain admins in Samba 2. Apparently, also, the “net groupmap” command can take lots of arguments, so this works:
net groupmap rid=512 ntgroup=”Domain Admins” unixgroup=whatever
And this overrides the algorithmic RID generation for the whatever Unix group, giving it RID 512, and maps it to “Domain Admins” on the domain side.
Sent Dusko new LDAP authentication code for WebDB that tries to bind with a supplied DN and password in order to search for the user’s DN instead of doing this bind anonymously.
This so that we can start marking records in LDAP as confidential as well as in WebDB/Banner.
This morning got some Moodle tweaking done.
PostgreSQL doesn’t like the backtick operator which is used in getting log reports for the user activity graphs. I submitted a bug report regarding this.
Enabled the guest user in Moodle so that guests can peruse open courses.
In moving the ecs-usermgr account management script to RAHU, I’ve made a few improvements.
Previously, I had changed the MAILMAN module so that the lists that a user is subscribed to are taken from the donor code to list mapping in accounts.conf. This is to support dynamic list configs and the ability to subscribe people to more than one list.
Still trying to figure out the problem with domain admins in Samba 3.
I may be onto something with pushing out group policies in the ntconfig.pol, but to get the policies into there, I may be having to muck with the .adm files that are templates for the policy editor. Since there’s practically no doco on this, it’s a little hard going.
Or something of the sort.
Or, more precisely, don’t create a group with 5000+ users in it and expect the LDAPv3 plugin on DirectoryServices to stay running. I had created this large group to be the “Domain Users” mapped group in Samba 3 and added all users to it. Unfortunately, when DirectoryServices on MacOS X looks up the groups of which a user is a member, it gets back the complete list of memberUid attributes for the resulting groups. Something that large apparently causes it to crash.
Monday I finished getting all of the accounts migrated to RAHU and turned on quotas.
All home directories live on RAHU now, and I set appropriate quotas for the space people are using. Then I ran the quota import tool for self service quotas. Finally, I remapped H: on the Windows domain to RAHU and added Z: for the backup share (the VxFS snapshot). It all went pretty smoothly.
Got Samba upgraded on SHANTi to v3.0.5.
Some minor difficulties:
After these hurdles (which took longer than expected due to really crappy Samba documentation), everything seems to be working. Password changes are even working.
Spent the afternoon generating new student accounts.
As usual, there were a few wrinkles to be ironed out. A couple of people who are “others” that are now students (presumably faculty brats or somesuch). A few folks who are coming back after an absence, often having been Explore-A-College. And only one collision of two folks with nearly identical names (no middle name on one, so I used the standard basename+1 for the one with no middle name and the MI for the one with a middle name).
Standard procedure: turn off LDAP/NIS exports on both SHANTI and KE, run the new accounts, catch any fallout (file system full when munging the /etc/passwd on SHANTI or can’t contact LDAP server), manually push the NIS stuff out, run the new accounts on PAX and KE, and then turn the NIS stuff back on.
Getting perl modules installed on RONGO for WebDB.
A bunch of new perl modules are needed for the new WebDB on RONGO, so I was getting those up. Also helped Kevin Hunter with understanding the smbpasswd code in the password changing module.
Spent Friday, Monday, and today ironing out some things in snort and netsquid.
Apparently the thresholding doesn’t work as expected in snort — when any rule with a threshold is active, it seems that most other rules are ignored. I took out the SMTP thresholding rules and things are better.
NetSQUID 1.4.1 is out and I’ve got that on the test boxes, complete with our local modifications for nail alerts. I’ll be making an install CD of that soon for the herd of boxes when they arrive.
At least in snort.
The ECS testing rule was never working, and it was at the top of the second included file. Change the order of the included files, and it works. Need to make this change across the board, look carefully at the rule files, and also suss out the -N issue on snort — see if it’s needed or not.
Went off on the nutty idea of writing a short newsletter for ECS this morning.
Started with a layout in Word and asking the rest of the department to give me ideas. We’ve got people for NetSQUID, Moodle, training, new lab computers, Altiris, the new WebDB, and Radmind. The idea is to put it all together in this nice layout, print out a good number of color copies, and scatter them around campus the first weeks of the semester.
Brought down the LDAP server again to create indices for sambaSID, sambaPrimaryGroupSID, and sambaDomainName. Naturally, this took a couple of tries and totally munched authentication while it happened. Took about 20 minutes total, for future reference.
Adding the object classes and attribute types for Samba 3.0.x to iPlanet is slightly tricky.
I probably did it this way when I added the 2.2.x types as well, but I didn’t have any records of it.
I had thought that there was a GUI console method of loading new schema types, but could find none. Instead, cut the schema file into new object classes and new attribute types, ditch the ACI specs, and simply present to iPlanet with ldapmodify as a modify changetype with additions for the attribute types first and then the object classes (that order, so that the schema checking knows about the attribute types the object classes reference by the time they’re being referenced).
I left the attribute type and object class LDIF files in my home directory on ASHTI.