« Dave, did you mom change her phone number again? | Main | This office isn't big enough for two weird guys! »

Magna cum laude, summa cum laude, the radio's too laude

OSCAR 1.1 has been released. Woo hoo!

Here's an embarrassing note: during the OSCAR teleconference this past week, we were plagued with all kinds of audio troubles with Intel's teleconferencing system. People would drop in and out, echos would abound, etc. But we still managed to have a reasonable conference.

The conference is normally scheduled for an hour. At the end of the hour, though, we weren't quite done. An automated announcement said, "To extend your conference for 15 more minutes, hit *9." Everyone agreed that we should continue to finish up the pending details, so I hit *9.


"Oh great," I thought, "More problems with Intel's #$#@%
teleconferencing system."

A split second later, I realized that that was my fax machine --
it's programmed to pick up if you hit *9 (handy when you only have one telephone line; you can answer from any phone in the house and make the fax machine pick up if it's an incoming fax, not a person).

I had to race down the hall and rip out the phone cord from my fax machine, and then come back and tell everyone what happened. How embarrassing. :-)

We also released LAM 6.6b1 that includes, among other things, a first cut at Myrinet support. It lacks some optimizations (doesn't pin user memory that is already pinned, doesn't use shmem for communications on the same node), but those will likely have to wait until post-dissertation.

My Linksys router box came. I got it setup nicely, such that it does selective IP forwarding to my back-end boxen. I found a handy feature in OpenSSH that allows it to listen on multiple ports for incoming connection. i.e., I don't have to muck around and have two different OpenSSH servers running , each sitting on a different point
-- OpenSSH allows this behavior just by editing a single config file and listing multiple ports. How cool is that?

Why is this important? shh normally accepts connections on port 22. With my DSL connection, I only have one fixed IP address. But I have two unix machines on my backend LAN that are generally on 24/7. I would like the ability to ssh directly to both of them from the greater internet. But there's only one port 22. So my linksys box forwards all incoming port 22 requests to one machine. But what about the other? This means that I have to pick some other port.

The bummer about my linksys router is that it will only IP forward on the same port -- so I can forward port addr1:port to addr2:port. I cannot forward addr1:port1 to addr2:port2. Bummer. So if I have two incoming ssh ports on my router, the second (non-standard) port has to be forwarded to the same port on a backend machine. This is where OpenSSH's feature comes in handy -- not only does it listen on port 22 for normal ssh connections (e.g., for connections from my internal LAN), it also listens on port N for connections from the greater internet. Cool!

I was short a cat 5 cable, though -- had to run out to Best Buy to get one.

ARRGGHH!!! It seems that I deleted all my pine mail for July 2001. How the heck did I do that? It must have been in the monthly archive on August 1. Doh. :-(

So I initiated a report with suggest@darwin.helios.nd.edu, and they actually restored the last backup (from July 31) within a few hours, and salvaged it all. Amazing.

Windoze sucks.

Oh, I'm sorry -- have I said that before?

I'll say it again: Windoze sucks.

The following describes a windoze "gotcha" that bit me on Friday. I know that most of the jjc readers have nothing to do with windoze; I describe it here mainly because a) I'll remember it this way, and b) you never know when you (jjc reader) may need to have a few 'doze sysadmin tricks up your sleeve.

My church just bought two new computers for staff members to replace some really aging computers (the old ones we so bad that they would swap almost continually, making any amount of work extremely hard to do). They were Gateway PIII 1GHZ machines (you really can't get much lower than that these days without going into Celeron country, which I highly recommend against!) with Windoze 2k. This now makes three w2k machines; the rest are all w98 and w95.

My church actually has a little LAN setup in their offices (I've described it in previous journal entries) with about a dozen machines on it. They do a few windoze shares to share some directories between machines for various databases and whatnot.

I had intended to spend 2-3 hours installing the two new computers, copying over the data from the old computers, installing the extra software that they needed, training the staff members in the differences with w2k, etc. I should have known better. <sigh>

Setting up the computers was easy enough; transferring the data, installing the extra software that they required, etc., wasn't too bad because the staff is actually fairly organized, and had all their data files in one place, etc. Yay for smart users! :-)

One weird thing, though, Printshop -- I think it was a fairly old version -- wouldn't work for regular users (i.e., not the "administrator") unless I installed it as the user. i.e., when I installed it as "administrator", it would give amorphous errors when a regular user tried to run it. I assume that this was because of permissions issues (I only had the CD case, not the original box, so I don't know it was supposed to support NT/2k or not -- I suspect not). Whatever. I temporarily bumped up the user's access level, installed the software, reduced the user's access level to its original state, and then all was well. <sigh>

But that wasn't too big of a deal; it only took an extra 15 minutes or so to figure out.

One of the two new machines was replacing a machine that previously shared one of its directories to the rest of the LAN. This is where my troubles really began.

There is no NT domain on the LAN -- those cost many thousands of
$$$! (before you scream "use Linux/Samba!", read the rest of this entry) So instead they just share a Windoze workgroup. It works well enough; we're talking about a staff that mainly does word processing, some spreadsheets, and a few databases --
nothing really fancy.

I setup the sharing on the w2k machine and then went to a w98 machine to try to mount the share (you know, check that it actually works. Sometimes this is a novel concept to IT support staff :-).

It asked for a password. WTF? It never required a password before (i.e., when the w98 box was the sharer). Not understanding why it was asking for a password, I tried a couple of obvious passwords that I thought it might be, all with no joy. Weird.

I went back and double checked all the sharing settings (permissions, etc.) on the w2k box, but everything looked fine. I went back and forth for quite a while, but could never get the w98 box to mount the share properly. Weird.

I called Johnny to see if he could help (it was about 6pm by this time). I described what I had done to him and he said that it sounded essentially correct. He was actually in a bookstore at that point, so he went over and pulled out a w2k book and looked it up, and indeed, I had everything setup the way that I should. Johnny had to run, so I continued on by myself. Unfortunately, this machine was a rather business-critical machine (more specifically, the share that it provides is rather business-critical), and I had to get it working. Bonk.

After much trial and error, I finally figured out what was going on:

  • The first important factor was that there is no NT domain. As such, there is no global authentication across all the machines. Indeed, there are only two accounts on each of the three w2k boxen: administrator and the user who sits down at that machine. This is an important fact.

  • w98 and w95 machines have no real concept of a user, so this had never mattered before. i.e., w9x sharer permissions are not based on the concept of a user.

  • When the w9x boxen tries to mount the share from the w2k box, it uses the username that the user "logged in" with (you know the "login" window that you can set w9x up with -- although you can hit ESC and skip it...). However, given that there is no global authentication on this LAN, that user will not exist on the sharing (w2k) machine.

  • In this situation, if the sharing machine is a w2k box, it will designate the share request as if it were coming from the "guest" account.

  • The "guest" account is initially set to "disabled" on w2k (which, although frustrating for me the other day, is actually a Good Idea). So I had to enable the guest account and assign a password to it. I then entered that password on the w98 box that was trying to mount the share, and it worked.

Woof. Stepping back, it all actually does make sense, but there were precious few clues for the uninitiated during the process to figure out what was going on. It would have helped immensely if the w98 box had shown the username that it was asking the password for. That would have tipped me off immediately. But it doesn't -- it just asks for a password.

Of course, there were at least two other alternatives that I could have done to solve this problem, but neither were attractive:

  • Setup a Linux box with samba as a primary NT domain controller, make all the windoze machines be clients in the domain, and then have all authentication centrally handled. The problem with this is that I'm not going to be in this parish forever, and I don't want to set them up with technology that they don't know how to maintain that they rely on for day-to-day business, and then leave them stranded when/if I move away from Louisville. Maybe someday, if it turns out that I'm going to be in Louisville for quite a long time. But not today.

  • I could have moved the share to a different machine (w98) and avoided all these problems, but a) someday all the machines in that office will be w2k and the problem will arise anyway, and b) there are actually political issues involved, so the share had to stay on that machine. :-)

So all in all, I'm not actually all that thrilled with the solution from a security standpoint. I had to enable the guest account to anonymously export the share. Granted, this is effectively no different than shares from a w9x box, so it is arguably no less secure that it was previously, but it still bugs me. And since there is no central authentication, I don't want to get in the business of maintaining separate accounts on all machines for every user -- that's an N^2 problem.

Grumble. Perhaps linux/samba is in their future someday, since there's no way that they could afford a real PDC license. Grumble.

Comments (1)

Hello frens,

Can ne one plz tell me wot does summa cum laude means.



Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on August 5, 2001 9:40 AM.

The previous post in this blog was Dave, did you mom change her phone number again?.

The next post in this blog is This office isn't big enough for two weird guys!.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34