Tuesday, October 10, 2006
Installing Joomla on NetWare 6.5
Download the zlib module for php. I used the 1.1.4 version with NetWare 6.5 Sp5
http://www.gknw.net/development/apache/libs/netware/
Extract the downloaded zlib package and place the modules from the zip into the sys:\php5\ext directory.
Enable php support in apache by uncommenting the include statement for mod_php in sys:\apache2\conf\httpd.conf
If the include statement doesn't exist, than you can create it by adding the following line to the bottom.
Include sys:\apache2\conf\mod_php.conf
If the include statement was remarked, be sure to stop and restart apache after removing the remark statement.
Test that apache has php support enabled by moving sys:\php5\scripts\info.php to sys:\apache2\htdocs then browse to http:\\server\info.php
You should have a nice looking page reporting the PHP version and compiled settings. Note! If you search the page for ZLIB, you should not find any hits. We will be fixing that.
Modify open_basedir = ".;sys:/apache2/htdocs" in sys:\php5\php.ini to reference the base directory of were joomla will be installed. Otherwise the include statements within joomla will not work. There are additional settings that may need to be tweaked in PHP.ini, like safe mode and such. Contact me if you need help with these. Add the extensions statement to php.ini to load zlib support. The line would look like this. extension=php_zlib.nlm (Note! This module exists in sys:\php5\ext
Restart apache2
Download and unzip the stable distribution from joomla.org
I unzipped the install into sys:\tmp and then made a copy to sys:\apache2\htdocs\joomla
Be sure that whatever directory you put joomla into, that your php.ini file matches this directory path. the include_path and open_basedir are set to met these needs.
I will leave the rest of the joomla configuration steps up to the joomla docs unless someone emails me and asks for more info.
Additional NetWare modules can be found here for apache, php, and such.
http://www.gknw.at/development/apache/
NetWare 6.5 Web Services
Two main structures of apache are as follows
sys:\adminsrv
sys:\apache2
Load scripts for these two main apache instances are located in sys:\system
admsrvup and ap2webup. admsrvup loads the admin server instanced with ap2webup loading the default apache2 service instance.
The Administration Instance of Apache2 on Netware
The main configuration file is located in
sys:\adminsrv\conf\adminsrv.conf
This file controls ports 2200 and 2211
Not too much is done with this configuration. It generally runs out of the box and reinstalling the apache admin instance usually fixes it. Try to refrain from deleting the directory when reinstalling as there are some critical links contianed in the classes which are hard to restore.
The Apache 2 instance
This is the main apache2 service which can be used to run netstorage, ifolder, and other custom web pages as desired.
The main config file is located in sys:\apache2\conf\httpd.conf
Several load statements, listen statements and include statements are all located in this file.
Example real world situation
Customer wanted a regular web page listing on intranet.domain.com(ip x.x.x.10) and a iFolder webpage listening on ifolder.domain.com(ip x.x.x.11)
To accomplish this I created two start config files sys:\system\ap2webup.ncf and sys:\system\startifolder.ncf
ap2webup.ncf calls sys:\apach2\conf\httpd.conf and startifolder.ncf calls sys:\apach2\ifolder\server\ifolder_httpd.conf
The apache instance(ap2webup.ncf) loads into a protected address space because otherwise we would have a conflict between the copy of apache running for iFolder. Also the iFolder instance has to run in the OS address space as xsrv and ncpl need to be able to talk and those two modules have to run in the OS address space.
I made modifications to the apache2 (ap2webup) instance removing the load statements for netstorage, xsrv, and xtier. As these were not required for a normal web server operation. Also, removing these statements allowed the apache2 instance to run in protected memory.
I might post more details on this later.
Friday, October 06, 2006
Secure MiddleTier Communication
The web service, whether apache or IIS, must be configured to use a minted certificate. This certificate can be provided by a trusted ROOT Certificate authority or your local Directory service (Active Directory or eDirectory). I will list the steps for IIS and using eDirectory as the trusted ROOT Certificate source.
Minting a Certificate on IIS
I am going to give a quick overview as full details are provided in the Novell Documentation.
- Generate a Certificate request from the IIS administration page.
- Going to Consoleone or iManager generate a certificate response
- IIS Administration page provide certificate response.
- Export the eDirectory ROOT CA (Security container, Self signed .DER file)
- Import the ROOT CA into the local workstation
- Import the certificate from the MiddleTier server into the workstation. (It is critical that the certificate be placed in the local Computer store. Do not let the certificate wizard place the certificate for you)
Middle Tier Authentication Troubleshooting
I had forgotten about some logs in c:\windows\system32\log files which can be very useful.
The logs can at least show that connections are being made and what is being accessed via IIS. The logs are IIS generated and are not ZEN specific. XTIER does report some logs to this directory. You can control XTIER logging with these following keys.
(MT) ZENworks Middle Tier Server logging on Windows servers is enabled in the registry
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\XTier\Configuration\XTLOG
Output: %System Root%\System32\LogFiles\Xtier
http://support.novell.com/cgi-bin/search/searchtid.cgi?10093312.htm
I also found that packet traces are a big asset.
If you can authenticate to https://serverip/oneNet/nsadmin then the zenworks ZDM agent should be able to authenticate also.
Comments more than welcome as I left a lot out.
Thursday, October 05, 2006
Creating Applications for Distribution
Registry Keys To Remove
I am asked all the time, "Which keys should I remeve" when creating applications for mass distribution. This question is usually raised when creating applications with ZENworks Snapshot utility.It amazed me how easy it was to find information regarding the registry keys that are captured. Common, how hard can it be to use Google. Sure, there are WAY TO MANY "OOOOOO"s in the name. But still, bookmark it.profentially.
During a really boring day of creating application objects for a customer, I decided to find the answers. So with ever snapshot I created, I researched the registry keys that were captured. Soon I had this really nice list. I then realized that I had another need for a application. Sigh, now I have to decide which language I will write the application in.
Sure, I could write it with perl, ruby, etc. But right now I am working a lot with C# and want to get a good grasp of the language.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICach
From reading through these entries, my understanding of this issue is that the values that you see under the MUICache key are not placed there by the executable, but by the shell (ie, Explorer.exe). Therefore, when a technical description of malware states that the executable "creates an entry under the MUICache key", this isn't technically correct. In fact, what's happening is that the shell is creating the entry when the malware is run.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed is a seed for a cryptographic random number.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRUHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
This is where MS Windows stores "window" positions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
Windows saves size and location information for up to 28 different windows. Each window's size and location parameters are stored in a subkey of the Streams key. The subkeys are assigned sequentially on a per-user basis. For example, when a new user logs on, the first window's parameters are stored in the subkey named 0. The second window's parameters are stored in a subkey named 1. After 28 subkeys have been created and a new window is opened, the parameters for the twenty-ninth window overwrite the parameters for one of the first 28 windows. When a window for which the parameters were overwritten is opened, the window opens with the default parameters for that window.
Windows stores the association for the Streams subkeys with a particular window in the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist
MRU's (Most Recently Used) and MFU's (Most Frequently Used) information for the current user.
Methodically Troubleshooting
I was reminded how critical is to methodically troubleshoot issues. You want to verify each part is working before you go to the next connector or piece of the puzzle.
In this case, passwords that were being set on the AD site were not unnque enough for eDirectory, but we never saw an error for this. I easily could have manually set the same password in eDirectory and tested it and would have seen the problem instantly.
A self-signed certificate had become invalid on the second day of troubleshooting. It seems that one of the engineers revoked the certificate without reimporting the new certificate. This was as a trick to find as I wasn't looking for this type of error as the system had been connecting just fine.
Wednesday, October 04, 2006
Reporting ZENworks Last Inventory Date
Converting the inventoryscan date was the hardest part as this was something I hadn't done before. Here's the code I used to convert the date.
I first had to devide the value of the inventory scan date by 1000, then I could run getdate(builtin function) and then send the results to be echo'ed to a table.
function calc_time($z) {
global $tm_rslt;
$y = $z / (1000);
$tm_rslt=(getdate($y));
return($tm_rslt);
}
You can download the whole script here
OES Linux a Enterprise Server in your network
The environment existed of ESX 2.5x a SAN and other existing NetWare ESX boxes. The goal was to consolidate the existing 13 NetWare file servers to a 4 node cluster and use SLES, which seems to handle memory better when running on ESX than NetWare. I was also to configure templates with the OES SLES configuration so that it would be easy for the customer to deploy additional servers as required with minimal cleanup.
I was able to configure SLES with very few tweaks in such a way that the admin could have a SLES server fully functional in 15 minutes. It was very beautiful.
Tuesday, October 03, 2006
You must understand what you support
Sure we all have somewhere to start, but a good admin will at least scan the readme, install docs, and knowledge base before calling the product stupid. Generally products are as great as you know them.
I see this again and again, admins will become very frustrated with ZENworks because they have not taken the time to understand what they are doing. You must at least have a 10,000 ft view of the product and how it functions. Otherwise it is hopeless.
Novell Asset Management
Tally, now Novell Asset Management, is one of the most powerful inventory systems available. The amount of information it records and how the information is made available is truly amazing.
I started posting content for ZAM on the Novell Wiki pages. You can view this content here.
Power of coding
Step back a minute and use an example. Would you rather build than repair something. Wouldn't you rather have a new car than fix the old car.
Being a IT engineer or technician always fixing fires has an affect on your outlook of life. Compare that to programming, creating new things, designing, using your imagination
I have always dabbled in programming, C, PHP, and now C#. I jumped head-first in with Mono and love it. Concepts, examples, and understanding has been my life lately and I love it.
Wednesday, July 26, 2006
Tuesday, July 25, 2006
Thursday, June 22, 2006
Jack Messman is out
I just have to say, Novell Zenworks is a awesome product. I have spent the whole week working with Zen for Servers. I must say, there are some very advanced features in the product. While it's not polished in areas that it should be, yet no other product on the market has the power that ZFS has.
Sunday, June 04, 2006
Software Developers live in a bubble
All to often Software Developers do not use their own code
I have seen many times new software, being written by some small shop, go down hill as the company becomes large.
When the software was first written, there was a clear need and the developer was able to test functionality easly.
Novell SuSE AutoYaST
Thus functionality has been around for some time, but needs to be improved. The functionality is a lot like MS Sysprep in that the OS, when restored, using some sort of cloning software, is tweak to be specific for that machine. Problem with AutoYaSt is that you cannot launch the AutoYaSt process after the OS has been installed. AutoYaST is made to be used while installing the OS from a software installation location. This totally breaks any kind of imaging solution. I propose that the process be allowed to be launch as normal, setting insserv first boot, touch /etc/system_config, and then on reboot, at least stage two and stage three be read and obayed.
I just finished a engagement with a customer to develop a method to deploy Novells SuSE Enterprise Desktop to their 450 laptops for students and faculty. The project was a huge success. The desktops authenticate against Active Directory at login, drive mappings are created for users, and many other custom network needs are met. The school was a all Micrsoft shop, but felt that the cost of providing laptops to students was such a great cost, that another solution was needed. SuSE Desktop met this need. Citrix is still used for some Windows only applications, but for the most part, the students don't want to even use the MS equivilent application.