Working around UAC

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There’s been a lot written about Windows Vista’s user account control (UAC) and personally I can’t see what the criticsm is about (Mac OS X and Linux both have similar mechanisms, although the implementation is slightly different); however it was interesting to hear Steve Lamb mention at a recent event that commands launched from a command shell (cmd.exe) running as administrator will not invoke UAC.

Of course it goes without saying that, just as when running a root shell in Linux, the use of such sessions should be limited and I’ve written previously about how the shortcut to run cmd.exe as an administrator can be modified to make it very obvious that elevated permissions are in use.

Steve also pointed out that, if developers wrote less code that requires privileged execution, then UAC would not appear so frequently. Although UAC behaviour can be modified in group policy, it is not recommended.

Configuring wireless Ethernet with Red Hat Enterprise Linux 5

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Even Linux advocates admit that Linux is not as user-friendly as it should be when it comes to mobile networking:

“Networking on Linux right now is painful for the mobile desktop user, especially in comparison to other operating systems. A laptop user should never need to use the command line or configuration files to manage their network; it should ‘Just Work’ as automatically as possible and intrude as little as possible into the user’s workflow.”

GNOME NetworkManager project website

Oh how true!

A couple of nights back, I was staying at a hotel which only offered Wi-Fi connectivity for guest Internet access. That’s all very well if you have Wi-Fi configured on your laptop but, since rebuilding on Red Hat Enterprise Linux (RHEL) 5 last week, I haven’t got around to setting up the Intel PRO Wireless 2200BG adapter in my notebook. It turns out that it is pretty straightforward, once you have worked out what to do.

I recently wrote about configuring wireless Ethernet with Fedora Core 5 (using the same computer). After a long-winded effort, installing updated drivers, kernel modules and firmware, I finally got it working but only on one network and not with the NetworkManager applet. Then, I found out that the drivers are included in the kernel by default – all that is required is the correct firmware.

As it happens, the same is true for RHEL (lsmod | grep ipw2200 told me that ipw2200 and ieee80211 were both present in the kernel) and Jeff at nethub.org suggests (for CentOS, which is basically a rebadged version of RHEL):

“…download the firmware from the Intel Pro/Wireless 2200GB SourceForge project

[…]

After downloading the file, type in the following commands as root:

tar -zxf ipw2200-fw-2.0.tgz
mv *.fw /lib/firmware/
rmmod ipw2200

Then, wait a few seconds, and type:

modprobe ipw2200

It’s actually even easier than that – the RHEL supplementary CD includes an RPM for the appropriate firmware (so why it’s not installed by default I don’t know) and, after installing the package and running modprobe ipw2200, eth1 became visible in my computer. Running service NetworkManager start and service NetworkManagerDispatcher start launched the NetworkManager applet too; although to make the change permenant, I used chkconfig NetworkManager on and chkconfig NetworkManagerDispatcher on. I also found that a reboot was required before all the wireless network components got themselves in order.

Following this, it was a case of selecting the appropriate SSID from the NetworkManager icon, and supplying the appropriate security details when prompted.

Network Manager - security

Following that, a connection was established (and NetworkManager even activates/deactivates the wired network connection as appropriate).

Network Manager - connected

It seems that getting wireless in Linux is becoming easier but it’s still not as simple as it should be. NetworkManager helps (a lot) but if the leading Linux distribution had automatically detected my industry-standard hardware (as Novell SUSE Linux Enterprise did… and as Windows did), it would have been a whole lot easier.

Windows Vista and ATI display drivers

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My IBM T40 is not an old PC. Well, it may be three years old but it’s still a perfectly capable machine. One of its great features is the S-Video display output – perfect for watching films from the computer on a TV – at least it would be if I could get it to work under Windows Vista.

The trouble is that the T40 has an ATI Mobility Radeon 7500 graphics chipset. The Windows Vista setup routine had installed the standard VGA graphics adapter driver (v6.0.6000.16386) but there is no supported Windows Vista driver for this chipset. I could rant on about how this lack of device support is a terrible way for ATI to treat customers and how it’s not as if I have any option to upgrade the graphics in a notebook PC but that won’t get me anywhere (and my blood pressure is already high enough). Nor will it sell me another PC, which is what hardware manufacturers really want, rather than developing modern drivers for old products. Instead, I spent far too much time today trying to get it working:

  • I found a forum post that suggested the Windows XP drivers would work (at least on pre-release versions of Vista) so I downloaded the latest available drivers from the IBM website, extracted them to a folder on my hard disk and let Windows Vista look there for updated drivers. After a successful installation (v6.14.10.6547) Windows reported the correct adapter type and provided support for multiple displays. So I was half way to my goal but without ATI-specific device options to enable advanced features (like the S-Video) connection.
  • Next, I tried running the full installer for the XP drivers and all the associated bloat but all I got was a blue screen of death (ati3duag.dll PAGE_FAULT_IN_NON_PAGED_AREA)… not a good result.
  • So I downloaded and installed the latest version (v7.5) of the ATI Catalyst Control Center (CCC) – except that it ignored my graphics adapter completely and just gave me some Catalyst Install Manager (CIM) links for updating/uninstalling CCC. At one stage, I was even dumped back to 4-bit 640×480 graphics and had to roll back my driver to the standard VGA before reinstalling the XP driver that had previously been working in Vista.
  • I tried running individual installers from within the extracted CCC package (e.g. ccc-graphics-full-existing.msi) and something happened to make a desktop right-click option for ATI CATALYST(R) Control Center appear (I hate excessive capitalisation in menu items!) but CCC still doesn’t load, so I guess it doesn’t like the XP display driver.
  • After reading Koroush Ghazi’s ATI Catalyst Tweak Guide, I tried Ray Adams’ ATI Tray Tools but these just produced memory errors on Vista, even when run as Administrator.
  • Finally, I went back to my extracted driver package and ran the ATI Control Panel (v8.133.2.1.1-061116a0949984C) setup (from the CPANEL folder, rather than the top level CIM installer). Even though Vista informed me that “this program has known compatibility issues” and that “ATI Control Panel is incompatible with this version of Windows”, it gave me access to all the advanced display settings but I couldn’t get it to recognise that the TV was connected.

ATI Control Panel

Now it’s the end of the day and I’m giving up. I guess I’ll have to go back to XP to use my TV-out (or watch videos on the laptop display). Grrr.

File name limitations when accessing Windows file shares from a Mac

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier this afternoon, one of my friends got in touch with “a quick tech question” (it had to be quick as his method of communication was SMS text message):

“…We have a brand new, state of the art pre-press system which, for some reason, is running Windows 2000. It seems that this OS cannot handle file names longer than 27 chars…”

I was sure that this would be an integration issue rather than an operating system restriction as I’ve never come across any such limitation with a Windows NT-based Windows system (leaving aside the question as to why would a state of the art device use an old and unsupported operating system?) – besides which, I was in no mood to give an office full of professional Mac users an excuse to bash Microsoft!

After a very short time spent googling, I found a newsgroup post which explains the issue. It seems that Apple filing protocol (AFP) 2.2, used by Windows Services for Macintosh, has a 31-character limit (presumably 4 of those characters are used by the driveletter:\ portion of the filename and another one somewhere else leaving 27 visible characters). AFP 3.x has no such limitation but, as all modern Macs can use SMB to communicate natively with Windows servers, there seems little point in using Services for Macintosh these days. Looking at the Wikipedia article on AFP, there may also be restrictions on file sizes with AFP and certain client-server combinations.

New (mighty) mouse

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few months back, I wrote about the problems I have been experiencing with my Apple Mighty Mouse.

I got used to cleaning the scroll ball, but after a while, the right-click became unreliable – to the point where I had to connect an ordinary PC mouse to the Mac, which then worked perfectly (indicating that my configuration was fine).

Contrary to the anecdotal reports that I linked in my original post, last week I took the not-so-mighty Mouse to the Apple Store in London (Regent Street), where a “genius” exchanged it for a new one.  I hadn’t been hopeful (as when it was my turn for service he was displaying a really unhelpful attitude, still complaining to a colleague about his previous customer) but, even after trying it out on another machine and not finding any problem, he commented that I “seem to know what I’m talking about” (I hope so!) and exchanged it anyway.

I’d forgotten how good it was when it was new – I just hope this one lasts a bit longer.

Working with OpenXML document formats in Office 2003

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Just before I left the office yesterday evening, I downloaded some presentations from Microsoft. Not surprisingly, these were in the new Office 2007 (OpenXML) document format and Windows XP recognised them as zipped archives (which they are – if you open one up, there are a load of XML files and graphics – incidentally a great way to extract graphics from a presentation – although curiously they all have the date and time stamp of 01/01/1980).

As I still use Office 2003 at work, it seemed logical to me that these files would be inaccessible, but I opened one up out of curiosity and PowerPoint gave me the option to install a compatibility pack (presumably I’d already installed an update to provide the “hook” for Office 2003 to download the compatibility pack). Once the 27MB Compatibility Pack for the 2007 Office System had been installed, I could work natively with the files, including the ability to save OpenXML from within Office 2003 applications, disproving my earlier predictions of file format nightmares.

Amit Agarwal has more information about working with the OpenXML file formats on his Digital Inspiration blog.

Remote Desktop alternative for Mac users

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I frequently connect to Windows hosts from my Mac and I have been using the Microsoft Remote Desktop Connection client for Mac OS X. The trouble with this is that it only allows a single connection and it’s not a universal binary (it also has a tendency to crash on exit, requiring a forced quit). I use rdesktop on my Linux boxes, and figured it ought to be available for the Mac (it is, using fink, or by compiling from source) but I also came across CoRD (via Lifehacker) and TSclientX (via the comments on the Lifehacker post) – both of which seem to offer a much richer user experience:

  • CoRD allows multiple RDP connections as well as storing login credentials. It seems pretty responsive too.
  • TSclientX s essentially a GUI wrapper for rdesktop and therefore requires X11. That shouldn’t really be a problem but it does sometimes feel like a bit of a kludge – even so, it has the potential to be extremely useful as it supports SeamlessRDP. Unfortunately, SeamlessRDP requires additional software to be present on the remote Windows system and I couldn’t get it to work for me, possibly because I was connecting to a Windows XP machine (which only supports a single connection) and rdesktop creates a X11 window for each window on the server side.

At the moment, I’ve settled on CoRD, largely due to its ease of use but both clients seem to offer a great improvement over Microsoft’s RDP offering for Mac users.

Running Red Hat Enterprise Linux without a subscription

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve written previously about why open source software is not really free (as in monetary value), just free (as in freedom). Companies such as Red Hat and Novell (SUSE) make their money from support and during Red Hat Enterprise Linux (RHEL) setup, it is “strongly recommended” that the system is set up for software updates via Red Hat Network (RHN), citing the benefits of an RHEL subscription as:

  • “Security and updates: receive the latest software updates, including security updates, keeping [a] Red Hat Enterprise Linux system updated and secure.
  • Downloads and upgrades: download installation images for Red Hat Enterprise Linux releases, including new releases.
  • Support: Access to the technical support experts at Red Hat or Red Hat’s partners for help with any issues you might encounter with [a] system.
  • Compliance: Stay in compliance with your subscription agreement and manage subscriptions for systems connected to [an] account at http://rhn.redhat.com/

You will not be able to take advantage of these subscriptions privileges without connecting [a] system to Red Hat Network.”

Red Hat Enterprise Linux 5 installer

Take a look at Red Hat Enterprise Linux (RHEL) and you’ll see that it’s actually quite expensive – a standard subscription for a machine with up to 2 processor sockets including 1 year’s 12×5 telephone support, 1 year of web access and unlimited incidents is €773.19 [source: Red Hat Online Shop, Europe]. That is not something that I can afford and even though Red Hat gave me a copy of RHEL 5 as part of my recent training, it only includes a 30-day subscription. Now they have launched Red Hat Exchange – a new service whereby third party open source software solutions are purchased, delivered and supported via a single, standardized Red Hat subscription agreement with consolidated billing covering the complete application stack. It’s a great idea, but the pricing for some of the packages makes using proprietary alternatives seem quite competitive.

In fairness to Red Hat, they sponsor the Fedora Project for users like me, who could probably make do with a community-supported release (Fedora is free for anyone to use modify and distribute) but there is another option – CentOS (the community enterprise operating system), which claims to be:

“An Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendor[‘]s redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) CentOS is free.”

Hmm… so which North American Enterprise Linux vendor might that be then ;-)

So what about RHEL systems for which the subscription has expired? I’m not sure what the legal standpoint is but there is a way to receive updated software using an unregistered copy of RHEL. Firstly, configuring additional repositories like Dag Wieer’s RPMForgethere are even RPMs available to set up the correct repository! Then, there are the various RPM search sites on the ‘net, including:

I’ve found that using these, even if there is not an appropriate RHEL or generic RPM available, there is often a CentOS RPM (which often still carries the el5 identifier in the filename). These should be safe to install on an RHEL system and in those rare cases when a bleeding edge package is required, there may well be a Fedora version that can be used. So it seems that I can continue to run a Linux distribution that is recognised by most software vendors, even when my RHN subscription expires.

Installing VMware Server on Red Hat Enterprise Linux 5

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Red Hat logo VMware logoLast year, I wrote about installing VMware Server on Fedora Core 6. At the time, I was using version 1.0.1 (build 29996) and tonight I needed to load the latest version 1.0.3 (build 44356) on my laptop, which is now running Red Hat Enterprise Linux (RHEL) 5. In theory, installing on a popular enterprise distribution such as RHEL ought to be straightforward but even so there were some things to watch out for (some of which were present in my earlier post). The following steps should be enough to get VMware Server up and running:

  1. Download the latest VMware Server release and register for a serial number (i.e. give VMware lots of marketing information… everything but my inside leg measurement… and make a mental note that I mustn’t lose the serial number this time).
  2. Prepare the system, installing the following packages and dependencies:
    • gcc (v4.1.1-52.el5.i386)
      • glibc-devel (v2.5-12.i386):
        • glibc-headers (v2.5-12.i386).
      • libgomp = (v4.1.1-52.el5.i386).
    • kernel-devel (v2.6.18-8.el5.i686).
    • xinetd (v2.3.14-10.el5.i386).
  3. Install VMware Server (rpm -Uvh VMware-server-1.0.3-44356.i386.rpm).
  4. Configure VMware Server (/usr/bin/vmware-config.pl):
    • Display and accept the EULA, then accept defaults for installation of MIME type icons (/usr/share/icons), desktop menu entries (/usr/share/applications), application icon (/usr/share/pixmaps), allow the configuration to build the vmmon module (using /usr/bin/gcc), enable networking, enable NAT, probe for an unused private subnet, do not configure additional NAT subnets, enable host only subnets, robe for an unused private subnet, do not configure additional host-only subnets, port for connection (902) default location for virtual machine files (/var/lib/vmware/Virtual Machines, creating if necessary) and finally, provide the serial number when requested.
      • All the prompts should work at their defaults; however it may be necessary to answer the question “What is the location of the directory of C header files that match your running kernel? [/usr/src/linux/include]” with /usr/src/kernels/2.6.18-8.el5-i686/include (or another version of the kernel-devel tools).
      • Building the vmmon module will fail if gcc is not present.
      • If the installer is being run under X, the serial number can be pasted into the terminal when requested.
    • The configuration script will have to be re-run if it finds that inetd or xinetd are not installed
  5. Extract the VMware management user interface from the archive (tar zxf VMware-mui-1.0.3-44356.tar.gz) and run the installation program (./vmware-mui-distrib/vmware-install.pl):
    • Display and accept the EULA, then accept defaults for installation of the binary files (/usr/bin), location of init directories (/etc/rc.d), location of init scripts (/etc/rc.d/init.d), installation location (/usr/lib/vmware-mui, creating if necessary), documentation location (/usr/lib/vmware-mui/doc, creating if necessary), allow vmware-install.pl to call /usr/bin/vmware-config-mui.pl and define the session timeout (default is 60 minutes).
  6. Extract the VMware Server console package from the client archive, or download it from the VMware management interface at https://servername:8333/ (it may be necessary to open a firewall port for TCP 8333 using system-config-securitylevel in order to allow remote connections).
  7. Install the VMware Server console (rpm -Uvh VMware-server-console-1.0.3-44356.i386.rpm).
  8. Run the vmware-config-server-console.pl script (not vmware-config-console.pl as stated in the documentation) – accept the EULA and if prompted, enter the port number for connection (default is 902).

At this point, you should have a working VMware Server installation accessible via the VMware Server Console icon on the Applications | System Tools menu, by using the vmware command from a terminal, or via a browser session. The final stage is to set up some virtual machine. I simply copied my previous image from an external hard disk to /var/lib/vmware/Virtual Machines and then opened it in the console (from where I could update the VMware Tools) but the (Windows) VMware Converter utility is available for P2V/I2V/V2V migrations (replacing the VMware P2V Assistant) and preconfigured VMs can be obtained from the VMTN virtual appliance marketplace.

Using Active Directory to authenticate users on a Linux computer

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m not sure if it’s the gradual improvement in my Linux knowledge, better information on the ‘net, or just that integrating Windows and Unix systems is getting easier but I finally got one of my non-Windows systems to authenticate against Active Directory (AD) today. It may not sound like much of an achievement but I’m pretty pleased with myself.

Active Directory is Microsoft’s LDAP-compliant directory service, included with Windows server products since Windows 2000. The AD domain controller that I used for this experiment was running Windows Server 2003 with service pack 2 (although the domain is still in Windows 2000 mixed mode and the forest is at Windows 2000 functional level) and the client PC was running Red Hat Enterprise Linux (RHEL) 5.

The first step is to configure the Linux box to use Active Directory. I ran this as part of the RHEL installation but it can also be configured manually, or using system-config-authentication. The best way to do this is using LDAP and Kerberos (as described by Scott Lowe) but Scott’s advice indicates that would require some AD schema changes to incorporate Unix user information; the method I used is based on Winbind and doesn’t seem to require any changes on the server as Winbind allows a Unix/Linux box to become a full member of a Windows NT/AD domain.

Winbind settingsThe settings I used can be seen in the screen grab, specifying the Winbind domain (NetBIOS domain name), security model (ADS), Winbind ADS realm (DNS domain name), Winbind domain controller(s) and the template shell (for users with shell access), following which Winbind join I selected the Join Domain button and supplied appropriate credentials and the machine was successfully joined the domain (an error was displayed in the terminal window indicating that Kerberos authentication failed – not surprising as it hadn’t been configured – but the message continued by reporting that it had fallen back to RPC communications and resulted in a successful join).

For reference, the equivalent manual process would have been something like:

  1. Edit the name service switch file (/etc/nsswitch.conf) to include the following:

    2. passwd: files winbind
    shadow: files winbind
    group: files winbind
    netgroup: files
    automount: files

  2. Edit the Samba configuration file (/etc/samba/smb.conf) to include the following configuration lines in the [global] section:

    3. workgroup = DOMAINNAME
    security = ads
    password server = domaincontroller.domainname.tld
    realm = DOMAINNAME.TLD
    idmap uid = 16777216-33554431
    idmap uid = 16777216-33554431
    template shell = /bin/bash
    winbind use default domain = false

  3. Edit the PAM authentication configuration (/etc/pam.d/system-auth) to append broken_shadow to account required pam_unix.so and to insert:

    4. auth sufficient pam_winbind.so use_first_pass
    account [default=bad success=ok user_unknown=ignore] pam_winbind.so
    password sufficient pam_winbind.so use_authtok

  4. Join the domain:

    5. /usr/bin/net join -w DOMAINNAME -S domaincontroller.domainname.tld -U username

  5. Restart the winbind and nscd services:

    6. service winbind restart
    service nscd restart

It’s also possible to achieve the same results using authconfig (as described by Bill Boswell).

Once these configuration changes have been made, AD users should be able to authenticate, but they will not have home directories on the Linux box, resulting in a warning:

Your home directory is listed as:

‘/home/DOMAINNAME/username

but it does not appear to exist. Do you want to log in with the / (root) directory as your home directory? It is unlikely anything will work unless you use a failsafe session.

or just a simple:

No directory /home/DOMAINNAME/username!

Logging in with home = “/”.

This is easy to fix, as described in Red Hat knowledgebase article 5367, adding session required pam_mkhomedir.so skel=/etc/skel umask=0077 to /etc/pam.d/system-auth. After restarting the winbind service, the first subsequent login should be met with:

Creating directory ‘/home/DOMAINNAME/username

The parent directory must already exist; however some control can be exercised over the naming of the directory – I added template homedir = /home/%D/%U to the [global] section in /etc/samba/smb.conf (more details can be found in Red Hat knowledgebase article 4760).

At this point, AD users can log on (using DOMAINNAME\username at the login prompt) and have home directories dynamically created but (despite selecting the cache user information and local authorization is sufficient for local users options in system-config-authentication) if the computer is offline (e.g. a notebook computer away from the network), then login attempts will fail and the user is presented with the following warning:

Incorrect username or password. Letters must be typed in the correct case.

or:

Login incorrect

In order to allow offline working, I followed some advice relating to another Linux distribution (Mandriva disconnected authentication and authorisation) but it still worked for me on RHEL. All that was required was the addition of winbind offline logon = yes to the [global] section of /etc/samba/smb.conf along with some edits to the /etc/pam.d/system-auth file:

  • Append cached_login to auth sufficient pam_winbind.so use_first_pass.
  • Add account sufficient pam_winbind.so use_first_pass cached_login.

These changes (along with another winbind service restart) allowed users to log in using cached credentials (once a successful online login had taken place), displaying the following message:

Logging on using cached account. Network ressources [sic] can be unavailable

Unfortunately, the change also prevented local users from authenticating (except root), with the following strange errors in /var/log/messages:

May 30 11:30:42 computername pam_winbind[3620]: request failed, but PAM error 0!
May 30 11:30:42 computername pam_winbind[3620]: internal module error (retval = 3, user = `username')
May 30 11:30:42 computername login[3620]: Error in service module

After a lot of googling, I found a forum thread at LinuxQuestions.org that pointed to account [default=bad success=ok user_unknown=ignore] pam_winbind.so as the culprit. After I removed this line from /etc/pam.d/system-auth (it had already been replaced with account sufficient pam_winbind.so use_first_pass cached_login), both AD and local users could successfully authenticate:

May 30 11:37:25 computername -- username[3651]: LOGIN ON tty1 BY username

I should add that this configuration is not perfect – Winbind seems to take a minute or so to work out that cached credentials should be used (sometimes resulting in failed login attempts before allowing a user to log in) and it also seems to take a long time to login when working offline, but nevertheless I can use my AD accounts on the Linux workstation and I can log in when I’m not connected to the network.

If anyone can offer any advice to improve this configuration (or knows how moving to a higher domain/forest functional level may affect it), please leave a comment below. If you wish to follow the full LDAP/Kerberos authentication route described in Scott Lowe’s article (linked earlier), it may be worth checking out Microsoft Services for Unix (now replaced by the Identity Management for Unix component in Windows Server 2003 R2) or the open source alternative, AD4Unix.