Trying to get Red Hat Enterprise Linux to accept a DVD-based repository

Posted on By Mark Wilson

I use Windows computers every day, I run my home stuff on a Mac and I want to continue to develop my Linux skills – so, I decided to build a Linux server at home. Out came my Red Hat Enterprise Linux 5 installation DVD and a short while later I had a working server. Great. Next, I wanted to customise the installed packages (the installer had given me the option to customise later, which I had accepted) – I fired up the Package Manager and…

…that’s right, a big empty white space in the browse list – the only listed packages were those that had been installed at setup time.

It seems that yum/pirut cannot read the RHEL installation DVD. After some googling, I decided to set up a new repository and created a file in /etc/yum.repos.d called rhel-dvd.repo, the contents of which were:

[dvd]
mediaid=1170972069.396645
name=DVD for RHEL5
baseurl=file:///media/RHEL_5%20i386%20DVD
enabled=1
gpgcheck=0

(the mediaid=1170972069.396645 line is the first line from the .discinfo file on the RHEL DVD, based on a comment on Jeremy Katz’s site.)

Cannot open/read repomd.xml file for repository: dvdIt seemed to recognise my DVD as an installation source but not as a valid repository, so after digging a little deeper I found that mediaid= requires yum 3.1.2 or later and I ended up in dependency hell (exactly what rpm is supposed to avoid).

This is crazy – it seems that Red Hat expect me to install everything from the Red Hat Network (RHN) – what about servers that do not have a connection to the Internet (or to an RHN proxy/satellite server)? Surely installation from the RHEL DVD should be an option (I suppose it is, technically, if I know what every RPM is for – that’s where the pirut browse capability is so useful).

For once, I give in. I could spend hours on this issue (I’ve already spent a few too many) but it’s Friday evening now and my bad IT day has turned into a bad IT week. I need to put the kids to bed and then have a quiet evening in with a large glass (or two) of wine.

In the meantime, if anyone has any ideas on how to get yum/pirut to recognise a CD/DVD as valid installation media, please leave a comment.

Non-existent fax extension causes Outlook error

Posted on By Mark Wilson

My clean installation of Windows Vista and Office 2007 has been presenting me with a strange error on the first time that I reply to an e-mail in Outlook:

Microsoft Office Outlook

The Add-in “FaxExtension” (C:\Windows\System32\fxsext32.dll) cannot be loaded and has been disabled by Outlook. Please contact the Add-in manufacturer for an update. If no update is available, please uninstall the Add-in.

After clicking OK, everything is fine until the next time I open Outlook and reply to a message. It’s all a bit odd, because I don’t have a fax extension installed. Then I found a newsgroup post which commented that sometimes deleting the FaxExtension key from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions will prevent this error from occuring.

I checked the registry and sure enough, there was the key, with a value of 4.0;C:\\Windows\\System32\\fxsext32.dll;1;00000100000000″.

I shut down Outlook, removed the offending key, restarted Outlook and haven’t seen the message since. Guess that’s a bug then.

Do IT qualifications really matter?

Posted on By Mark Wilson

A few days back, I received an e-mail from a young man in Pakistan who had found my website on the Internet and wanted some advice. This is what he had to say (edited for grammar and spelling):

“I have a Bachelors degree in Computer Sciences and am studying for MCSE certification.

[…]

My question to you as a newbie in the networking field is are certifications necessary to jump and fly high in this field and even if it’s true then do I have to stick to Microsoft or can I do a mixture of Cisco and Microsoft certifications. Lots of “thinktanks” here in Pakistan say that a person with MCSE, CCNA AND CCNP certifications is a much needed guy for IT companies.

I am sooooooooooooooo confused as to where I should move.”

The reason I’m blogging about this is because he raised some interesting points. I too have a bachelors degree in Computer Studies and I don’t consider that it’s been of any practical use to me in my work. The process of leaving home and going to university helped me progress from home life to becoming an independent young man (actually, it was a Polytechnic when I started my course – reflecting the vocational nature of its tuition – but don’t get me started about how all the Technical Colleges and Polytechnics have become “Universities” and what a bad idea that is) and it set me up with some valuable first-hand experience about managing personal finances (i.e. debt… and that was 13 years ago – I feel really sorry for today’s young graduates who have no access to grants and have to pay tuition fees too).

My degree was simply a means to join the career ladder at a certain level. Please don’t misunderstand me – I’m sure that has opened some doors that might otherwise have been closed (or would at least have been harder to force my way through) but it was by no means essential to reaching the position that I have today (perhaps I should have aimed higher?) and I have not used any of the Computer Studies skills that I learnt along the way so I could have studied anything (given the amount of writing I do today – perhaps I should have studied English, or journalism? Who knows – back then I didn’t know what I wanted to do with my life!).

IT certifications are similar. I hold a variety of IT certifications but none of that matters if I don’t have experience to back up the qualifications. Sometimes you have to admit your shortcomings too – I didn’t feel comfortable being flown in to one potential customer as an expert earlier this week because I haven’t done anything practical with the associated technology for a long time now. The customer would have seen through me and that would have damaged both mine and my employer’s credibility.

I learnt a few days back that a colleague, whose advice and experience I hold in very high regard, holds no IT certifications. Equally I have friends and colleagues who left school at 16 or 18 and that’s not prevented them from reaching the the same (or a higher) position within the company as myself.

I understand that the UK government has a target for 50% of all school leavers should go to university (Why? Do 50% of all jobs require a degree? How about 50% or more of all school leavers going on to some form of further or higher education – whether that be vocational or academic). When I meet new graduates I recognise how wet behind the ears I was when I started out all those years ago. Which nicely illustrates my point – that it doesn’t matter how highly qualified you are – what really counts is experience, even if the company does still insist that you have the letters after your name before you can get through the door.

Windows fast user switching + Zone Alarm = bad IT day

Posted on By Mark Wilson

My poor colleagues had to put up with a lot of complaining yesterday. I was having a bad IT day (when nothing seems to go well). And it seems to be continuing today.

I recently rebuilt my company notebook PC to run Windows Vista and Office 2007. That’s going well but then there’s all the stuff that goes on top (anti-virus software, corporate VPN client, etc.). My colleague and trusted advisor, Garry, helped me to get all that in place, an administrator added my machine to the corporate domain and before I left last night I logged on so that I had a profile for my domain account with cached user credentials (for working at home today).

It should have been fine but I didn’t log out from my original account because I was in the middle of something – I used the fast user switching feature instead and then waited… and waited… and waited… as Windows tried to set up my profile.

In the end I gave up and logged out, only to find a load of Zone Alarm messages popped up under the original account.

“Blah blah blah is trying to do something… do you want to allow this?” I don’t know – probably! Just let me get on with logging in.

Today it’s more of the same, as switching back to my old (non-domain) profile to run Windows Easy Transfer resulted in the same problem.

I think Garry was quite disturbed to see how I (and another colleague) quickly tired of reading these incessant firewall popups and just clicked the “allow” button (and the “don’t bug me again” checkbox) every time – which proves a point I made about firewall messages almost two years ago. And anyway, what’s wrong with the Windows Firewall? If I didn’t have to use Zone Alarm to meet VPN access policies then I wouldn’t. Grrr.

The good news is that Windows Easy Transfer was really useful for migrating my application settings from my old profile to the new domain profile (I didn’t use it for the files as it’s easier to just drag and drop them in Explorer).

Windows Server UK user group

Posted on By Mark Wilson

Scotty McLeod has been working hard to get the Windows Server User Group UK website off the existing SharePoint platform and onto something more appropriate (SharePoint is great for some things but it was not great for the user group website – hey, even SharePoint blogs uses Community Server! Come to think of it, so do most of the Microsoft blog sites!).

Anyway, head over to http://www.winserverteam.org.uk/. It’s still work in progress but, over the coming weeks and months, I’m hoping it will grow to become a lively discussion area (backed up with regular meetings) for UK-based IT Professionals who are interested in the development of the Windows Server platform.

Some more about Terminal Services Gateway Servers

Posted on By Mark Wilson

In an earlier post, I mentioned Austin Osuide’s recent Windows Server User Group presentation on Terminal Services Gateway Server and what follows is some of the detail from that session.

Terminal Services Gateway Server is a server role in Windows Server 2008 – effectively a protocol translator that allows authorised users to remotely access resources on a corporate LAN using RDP over HTTPS.

Up until now, it’s been necessary to open TCP port 3389 to allow RDP traffic through the corporate firewall but by encapsulating the RDP traffic within an SSL-secured tunnel, control may be exercised over which computers (and hence which applications), users can connect to and from. Other advantages include the fact that there is no need for a VPN infrastructure, so connectivity can be gained from any PC, anywhere (home, hotel, business partner or client premises, mobile or wireless hotspot). Then there are other advantages for IT organisations looking to reduce costs…

Consider a large outsourcer, with many support teams, each supporting a single customer’s infrastructure. What if one team (with the appropriately scaled resources) could manage multiple networks? Maybe even in an offshore scenario? As an IT professional, I’m not keen on this and as a customer I would be concerned about the potential impact on security but what if my managers could convince the customer that they can maintain security in a global infrastructure such as this? Using technologies such as network access protection (NAP) the health of any connected devices can be ensured and terminal services gateway servers can be deployed to control who can connect to which computers – perhaps only to defined administrative servers with a controlled application set.

The process for connection is as follows:

  1. Client tunnel RDP connection through HTTPS.
  2. Terminal Services Gateway strips out the HTTPS encapsulation and forwards the request to the terminal server/remote desktop (if the request passes appropriate policy checks – connection authorisation policies control who can connect and resource authorisation policies control what they can connect to, using user-defined or built-in groups for servers).
  3. Remote machine beleives that the request has come directly from the client and responds appropriately.

It all sounds straightforward enough but, as Austin explained, there are some gotchas too:

  • As for when tunneling RPC through HTTPS with Outlook and Exchange, the certificate must be recognised as valid – there is no manual option to trust a site if there are certificate issues (as there would be when browsing the Internet). There are two possible options:
    1. Establish a corporate public key infrastructure and install the appropriate certificates on the client. The downside to this is where clients don’t allow certificates to be installed by users (e.g. in a kiosk scenario).
    2. Alternatively, purchase a certificate from a trusted certification authority.
  • At least initially, few organisations will have a PKI based on Windows Server 2008 and, due to the removal of the Xenroll ActiveX control from Windows Vista (see Microsoft knowledge base article 922706), Windows Vista and Windows Server 2008 computers cannot use the WIndows 2000/2003 CA web interface (or indeed the equivalent interfaces on the Thawte or Verisign websites). It should be possible to craft an appropriate web server certificate using the MMC Certificates snap-in, but the common name for the server needs to be fully qualified and the MMC tools insert an unqualified name in a computer certificate. Thankfully there is another method – using the certreq.exe command line tool and a .inf file with the certificate template information (the syntax is described in Microsoft knowledgebase article 321051 and certutil -csplist will list the trusted cryptographic service providers), for example:

    [Version]
    Signature="$Windows NT$

    [NewRequest]
    Subject = "CN=servername.domainname.tld"
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1

In terms of best practice, Austin had some more advice to give:

  • Use a dedicated Terminal Services Gateway Server.
  • Consider placing the gateway server behind an ISA server.
  • Terminate the SSL connection in the DMZ and put the Terminal Services Gateway Server on the corporate network
  • VPNs may still have a place in the infrastructure – Terminal Services gateway servers are best used where no local copy of the data is required or where bandwidth issues mean that the user experience over a VPN experience is poor.

Further information

Microsoft Terminal Services.
Microsoft Terminal Services team blog.
Terminal Services in the Windows Server 2008 Technical Library.

James May’s 20th Century

Posted on By Mark Wilson

I’ve just spent an hour in front of the gogglebox watching James May’s 20th Century. “What’s that?”, you may ask. It’s a new BBC/Open University television programme looking at technology and how it’s changed the way in which we live over the last hundred-or-so years.

Tonight featured two episodes: the first looking at how the world became smaller with the development of air and motorised road travel and how, ironically, it was not supersonic aircraft travel that became the accepted means to “shrink” our planet but computers, fibre optics and the Internet; and the second looking at how the space race grew from one man’s dreams to a desire for military supremecy and eventually to a means to communicate (bit of a theme running here…) – I never realised just how many satellites are in orbit around the world.

Anyway, for UK readers with even the remotest interest in technology (and if you don’t have that, I’m surprised that you’re reading this blog), it’s fascinating viewing. Even my wife was interested, although as our toddler son is asking more and more “who?, “what?”, “when?” and “why?” questions this could be the science lesson that she needs in order to be able to keep up!

Why the banks just don’t get IT

Posted on By Mark Wilson

Identity theft worries me. It doesn’t stop me sleeping at night but nevertheless it does worry me.

It seems that each time I log in to a banking website the security has been “enhanced” with yet another item that I fail to enter correctly and then have to call the helpdesk to get my account unlocked – and I’m an IT guy… what about the “normal” users (they probably write down the details somewhere)!

Mark James has written an interesting article about this issue – and how the answer is really quite simple – if only the banks would apply the same security approach to consumer banking as corporates do for remote access.

Security – Why the banks just don’t get IT

Posted on By Mark Wilson

A few weeks back, I read a column in the IT trade press about my bank’s botched attempt to upgrade their website security and I realised that it’s not just me who thinks banks have got it all wrong…

You see, the banks are caught in a dilemma between providing convenient access for their customers and keeping it secure. That sounds reasonable enough until you consider that most casual Internet users are not too hot on security and so the banks have to dumb it down a bit.

Frankly, it amazes me that information like my mother’s maiden name, my date of birth, and the town where I was born are used for “security” – they are all publicly available details and if someone wanted to spoof my identity it would be pretty easy to get hold of them all!

But my bank is not alone in overdressing their (rather basic) security – one of their competitors recently “made some enhancements to [their] login process, ensuring [my] money is even safer”, resulting in what I can only describe as an unmitigated user experience nightmare.

First I have to remember a customer number (which can at least be stored in a cookie – not advisable on a shared-user PC) and, bizarrely, my last name (in case the customer number doesn’t uniquely identify me?). After supplying those details correctly, I’m presented with a screen similar to the one shown below:

Screenshot of ING Direct login screen

So what’s wrong with that? Well, for starters, I haven’t a clue what the last three digits of my oldest open account are so that anti-phishing question doesn’t work. Then, to avoid keystroke loggers, I have to click on the key pad buttons to enter the PIN and memorable date. That would be fair enough except that they are not in a logical order and they move around at every attempt to log in. This is more like an IQ test than a security screen (although the bank describes it as “simple”)!

I could continue with the anecdotal user experience disasters but I think I’ve probably got my point across by now. Paradoxically, the answer is quite simple and in daily use by many commercial organisations. Whilst banks are sticking with single factor (something you know) login credentials for their customers, companies often use multiple factor authentication for secure remote access by employees. I have a login ID and a token which generates a seemingly random (actually highly mathematical) 6 digit number that I combine with a PIN to access my company network. It’s easy and all it needs is knowledge of the website URL, my login ID and PIN (things that I know), together with physical access to my security token (something I have). For me, those things are easy to remember but for someone else to guess – practically impossible.

I suspect the reason that the banks have stuck with their security theatre is down to cost. So, would someone please remind me, how many billions did the UK high-street banks make in profit last year? And how much money is lost in identity theft every day? A few pounds for a token doesn’t seem too expensive to me. Failing that, why not make card readers a condition of access to online banking and use the Chip and PIN system with our bank cards?

[This post originally appeared on the Seriosoft blog, under the pseudonym Mark James.]

Windows Vista volume activation failure

Posted on By Mark Wilson

When I upgraded my Vista installation from a (not-yet activated) copy of Windows Vista Business Edition to Windows Vista Enterprise Edition, the activation counter was reset to 30 days; however, since then it’s been bugging me with the following message

Volume activation has failed.

Your computer could not be activated.

Error:
0x8007232B
Description:
DNS name does not exist

Cryptic though the message is, it’s really quite simple – this is a volume licensed (Enterprise) copy of Windows Vista so it is looking for a key management server (KMS) to activate itself. I’m at home today, so it can’t find one but in any case, as I had not provided a product key during installation, Vista could not activate. Once I provided the appropriate multiple activation key (MAK), Vista was able to activate via the Microsoft servers.

It was interesting to see the changes in the system properties as activation took place. First the remaining time to activate dropped from 24 days (30 days minus the 6 since I upgraded the PC) to 5 days when the MAK was accepted. Then, once activation had completed successfully, Windows acknowledged that it was activated and genuine.

There’s more information about this error in Microsoft knowledge base article 938107 and Christian Mohn has blogged about a similar experience he had with Windows Vista Business Edition requiring the product key to be re-entered.