M'log

Linux in a Windows 2008 Active Directory domain

2011-10-07T13:38:00.011+02:00

This article is an attempt at writing up a single source of information of adding your boxes to a Windows 2008 Active Directory domain with modern software.

Introduction and background

If you just want to read the configuration files and instructions, skip to the "Kerberos configuration and domain join" chapter.

Back when Windows 2003 was hot, I did a project integrating a couple of hundred Linux boxes into an Active Directory domain. Because of the fact that we had three different flavors of RHEL back then, we wanted to use the same, open source, components on all flavors as much as possible, it was slightly tricky.

I still do Active Directory integration work with Linux a lot, but a lot has changed, too. One the one hand, (thankfully) RHEL3 has died last year and RHEL4 will die in early 2012, so I won't have to worry about those flavors again. RHEL5 has gained some interesting options (mainly sssd) to work with AD, bringing it on par with RHEL6. This makes it a lot easier to have both flavors work with AD with the same configuration.

On the other hand, Windows has changed a bit, too. DES and 3DES encryption types have been deprecated and disabled by default. Windows 2008 only allows AES-128, AES-256 and RC4 for encryption, unless you turn DES and 3DES back on, which you generally do not want to do. They are turned off for good reason.

Samba, however, is not able to use all the encryption types used by Windows 2008 though, limiting your options to RC4 for you keytab if you join the domain using Samba.

Another thing used to be the UPN. Over the years, I forgot the exact reason (take notes!), but what needed to be done with Windows 2003 is to create a User Principal Name (UPN) for your Linux server while joining AD. This enabled getting a Ticket Granting Ticket (TGT) for that machine and subsequently doing LDAP queries.

I suspect it has something to do with Windows 2003 not accepting the Service Principal Name (SPN) requesting a TGT. This was very annoying for a couple of reasons. First of all, you needed to add an extra configuration option to the 'net ads join' command. Second, you needed special rights in AD to create a UPN, iirc. And third, creating the UPN sometimes failed, leaving you with an incomplete computer object in AD you either needed to fix manually or recreate anew.

Back to Windows 2008. Windows 2008 *does* allow the Linux servers SPN to request a TGT, which is great news, because it makes life easier.

So, how do we do it? Read on! I'm going to split the article into three part: a part specifically about the Kerberos component, a part about the sssd and LDAP components and a part about the remaining configuration to be done.

My Kerberos test realm is called NONTOONYT.LAN. The domain controller I use is called dc01.nontoonyt.lan. The Linux machine I will be joining to AD will be called box5.nontoonyt.lan. My users in AD are located in the default Users container, my Groups in a top level OU called 'Groups'.

You will need to install the Subsystem for Unix-based Applications on one of your domain controllers. This will setup the needed LDAP attributes, enable the Unix attributes tab on this domain controller and fill the NIS domain field with the name of your domain. You only need to install this subsystem on DC's you want to see the Unix attributes tab on.

I configure my users and groups with UID's above 10000 and below 30000. Adapt this to your
needs.

Kerberos configuration and domain join

First off: Kerberos. RHEL5 and RHEL6 ship with MIT Kerberos 1.6 and 1.9 respectively. Both versions are more or less compatible with regard to the options we need to configure, so we'll use one configuration file for both RHEL5 and RHEL6.

Fist, you need to define the [libdefaults] section. It is important to set the default_realm correctly, in caps, and add lines that allow encryption types. The rest of the options are up to you to fill in. My configuration is as follows:

[libdefaults]
default_realm = NONTOONYT.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

Note that, in essence, only the rc4-hmac encryption type really needs to be there if we join the machine using Samba, which does not support AES at the time of writing.

If you do decide to add the other encryption types, perhaps for future needs, be sure to start with the rc4-hmac type. Kerberos will break otherwise.

Second is the [realms] subsection. Here you statically couple domain controllers (or KDC's: Key Distribution Centers, in proper lingo) to a realm.

The admin_server entry is probably not needed, since Active Directory does not expose the administration interface to the work on port 749 anyway. This option is meant for proper, Linux based Kerberos setups, where port 749 *is* used.

My configuration is as follows:

[realms]
NONTOONYT.LAN = {
kdc = dc01.nontoonyt.lan:88
admin_server = dc01.nontoonyt.lan:749?
default_domain = nontoonyt.lan
}

Next we map domains to Kerberos realms, which is simple in my test setup:

[domain_realm]
.nontoonyt.lan = NONTOONYT.LAN
nontoonyt.lan = NONTOONYT.LAN

The [appdefaults] section does not need to be altered.

Download my full krb5.conf file here.

So, on to Samba. I'll start off with explaining how to use Samba to join to the domain and go into some alternatives later.

You can join a Linux machine to an Active Directory domain using the following command:

net ads join createcomputer=my_OU/other_OU osName=RHEL osVer=5 -U my_ad_account

You do not have to provide a domain controller to talk to here, since Samba will query DNS for _kerberos SRV records. You can provide one if you want to though, for example if you have multiple sites and want to talk to a close DC, with the -S option.

The createcomputer option defines the OU I want to create my computer object in. Have your Windows guys create an OU in which you can create objects for this. The osName and osVer options are not mandatory - they just fill some LDAP properties - but they're a nice touch.

This does not work without configuration after installing Samba. You need to configure /etc/samba/smb.conf a bit. Edit the following properties in your Samba configuration:

    workgroup = NONTOONYT
server string = box5 Linux server
netbios name = box5

security = ads
realm = nontoonyt.lan
kerberos method = system keytab

Download an example smb.conf file from here.

Having set up both /etc/krb5.conf and /etc/samba/smb.conf, you should be able to join your machine to a Windows 2008 Active Directory domain!

You can test getting a ticket after joining by running:

klist -k
kinit -k BOX5$

Neither command should give any output. Mind the caps in BOX5$.

Next up: sssd and LDAP!

sssd and LDAP configuration

Since a couple of versions, RHEL5 has an sssd package. Sssd stands for system security service daemon. In previous versions of RHEL, we had to use nss_ldap and a couple of hacks to get Active Directory authentication to work nicely. Now that there is sssd, we can finally do everything the clean way, without hacks. (I love sssd!)

Configuring sssd to provide authentication services through Kerberos and authorization services through LDAP is done by editing one (1) file. Note that your machine will not be able to use AD accounts after this just yet. But we're close :)

In the [sssd] section of sssd.conf, add a line reading

domains = nontoonyt.lan

This is not a Kerberos domain we are talking about, but a domain in sssd lingo. If you want to know more about this, please check the sssd website. At the bottom of the file, we will write our domain configuration:

[domain/nontoonyt.lan]
cache_credentials = true
enumerate = false
min_id = 10000
max_id = 30000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://dc01.nontoonyt.lan/
ldap_schema = rfc2307bis
ldap_user_search_base = cn=Users,dc=nontoonyt,dc=lan
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = ou=Groups,dc=nontoonyt,dc=lan
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = BOX5$@NONTOONYT.LAN
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = NONTOONYT.LAN
krb5_validate = true
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True

Not all the options above are absolutely required. I like to make some defaults explicit though, to prevent possible changing defaults messing things up in the future and making it easy to see how things are configured by viewing one file.

I'll pick out a couple of the options to explain them. The cache_credentials option will allow users to log into this box when a domain controller is not available by caching credentials. You might or might not want this. Think this through for your setup.

Enumeration will allow you to use getent passwd and see AD based accounts. The trade off is a relatively slow sssd start up and some extra load on you DC, depending on the size of your search base. You might or might not want this. Think this through as well.

Take note of the ldap_sasl_authid property. This needs to be set to the SPN you use to get a ticket while testing in the "Kerberos configuration and domain join" chapter. In our case, that would be BOX5$. Mind the caps and the dollar sign.

Further more, notice the krb5_validate option, which prevents spoofing of TGT by crackers and the ldap_krb5_init_creds, which instructs the id_provider (LDAP, in our case) to obtain a TGT and use it to query the LDAP server (the DC, in our case). Many of the other options are defaults I like to make explicit. Read the sssd.conf, sssd-krb5 and sssd-ldap man pages for more
information.

You can download my sssd.conf from here.

If you run into trouble, sssd might be a bit tricky to debug. Just set debug_level to 5 or so in the [sssd] section of sssd.conf and check to log files in /var/log/sssd.

Final configuration

A couple of things remain in order to allow AD based accounts to log into your server. First, we need to configure the name service switch configuration in /etc/nsswitch.conf. Very simple. Make sure stuff looks like this:

passwd:     files sss
shadow:     files
group:      files sss

That's is.

Next, open up /etc/pam.d/system-auth-ac (mine is here) and add the following pam_sss.so lines as next to last in each section (account, auth, password and session):

auth        sufficient    pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_sss.so use_authtok
session     sufficient    pam_sss.so

You might want to add a pam_mkhomedir.so line to the session section as well:

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/

Put it as the first line in the session section. RHEL6 will need you to alter /etc/pam.d/password-auth similarly.

Finally, you can add Kerberos awareness to ssh by adding these lines to /etc/ssh/sshd_config (mine is here):

GSSAPICleanupCredentials yes
GSSAPIAuthentication yes

And these to /etc/ssh/ssh_config (mine here):

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

This allows 'hopping' from one Kerberized Linux server to another based on Kerberos alone, without entering your password.

Final considerations: DNS

Please note that Kerberos relies heavily on a properly setup DNS infrastructure. Give all your machines a proper FQDN, an A record, a PTR record and make sure the machine knows what it's called from the outside.

Almost all places I have worked at as a consultant have or had a broken DNS infrastructure to some extent. It always made my life a lot harder that it should have been. Please do this right the first time around!

Final considerations: Linux is not Windows

By enabling login to Active Directory based accounts and editing /etc/pam.d/system-auth-ac, you get AD based authentication and authorization for a lot of services, but not magically for everything. Apache, for example, has to be configured separately.

Also, Linux will not magically update it's password in AD. You can do that (check below at "Final considerations: alternative ways to join"), but not with Samba in this setup.

Linux is not site aware. If you have a large site, spanning multiple physical locations, you will have to specify which DC's you want to use per physical location in the /etc/krb5.conf and /etc/sssd/sssd.conf files. Linux is able to query for _kerberos records in DNS, but will *not* map these to a physical location using the AD "Sites" mechanism.

Final considerations: alternative ways to join

As a rule, most people use Samba's 'net' command to join a Linux server to Active Directory, but there are other ways.

First, there is ktpass.exe on Windows. This tool can help you by exporting a keytab on the domain controller. This keytab can then be copied to the Linux machine and used there. Use must either join the machine using Samba (or msktutil, see below) first or pre-create an object for it.

Pro: the keytab exported with ktpass.exe only has strong encryption types in it (AES-128, AES-256 and RC4).
Con: needs to be done on the domain controller and is therefore slightly
cumbersome

And then there is msktutil. I love this tool. I wish it would be in all distro's. And thankfully, things seem to be moving in the right direction for this: work's already being done to get it in Debian and a fork of it might move into Fedora and EPEL[1].

What this tool can do, is connect to a DC, create a machine object and get you a proper keytab with only RC4 and AES encryption types, all from that comfortable place we call a Linux machine. Love it. Coming soon to a distro near you!

[1] https://bugzilla.redhat.com/show_bug.cgi?id=713313

Final considerations: winbind

I don't like using winbind. I have seen it break too exotically and too often in the past. I'm probably biased and it's probably all fixed, but I'm happy with sssd to talk to Active Directory through LDAP and Kerberos at the moment.

That said, there are enough shops that use winbind exclusively to talk to AD, so if it works for you, great, go for it!

The sssd people are allegedly working on a winbind backend for sssd, which will make it a bit cleaner (in my mind), so I might test that when it arrives.

Winbind has some different ways of mapping users to UID's. It can use LDAP (much like we do in this article), it can dynamically generate UID's and it can generate a static (i.e. the same on all servers) UID based on your SSID.

For shops in which you cannot change AD by installing the Subsystem for Unix-based applications, winbind might be the way to go.

Final configurations: LDAPS

A final option to get to AD based accounts on your Linux server would be to create a service account in AD, enable LDAPS (LDAP over SSL) in your AD and then use plain LDAP(S) for authentication and authorization.

Enabling LDAPS on an AD domain is not something you'll easily talk your Windows guys into, but as a final option, a last resort, knowing about it might come in handy.

Let me know if this article helps you out. If you need consulting services for integrating Linux machines in Active Directory, contact me or my employer. I'm sure we can work something out.

Please, if you find typo's or factual errors in this post: please notify me and I will correct them.

Good luck!

Fixing suspend on my laptop permanently with grub2

2011-10-01T16:42:00.005+02:00

I own a slightly aging Sony Vaio VGN-FW21E, which still is a nice piece of hardware, but has one quirk: it doesn't suspend right. It hasn't done so for the past four or five kernel releases and it still doesn't work properly :(

With older versions of Fedora (<16), it was easy to edit grub.conf (or menu.lst, whatever) and fix this problem by appending "acpi_sleep=nonvs" to the kernel line. With grub2, however, things have changed a bit.

To permanently add something to the kernel line to the grub2 configuration, you need to edit /etc/default/grub (which I consider to be an odd filename on a Fedora-based system) and edit the GRUB_CMDLINE_LINUX variable defined there. For me, it needs to read:

GRUB_CMDLINE_LINUX="quiet rhgb acpi_sleep=nonvs"

If you would like to have a more verbose kernel during boot, or disable Plymouth, you could remove the "quiet" and "rhgb" keywords respectively.

Dear Comedy Central...

2011-06-10T20:00:00.001+02:00

Can you please create a nice Android tablet app to watch my favourite shows with? Plagiarize the CNN app for all I care, but I really need my daily Daily Show fix.

kthxbai.

MySQL + Ruby + UTF-8 + legacy = Hell

2011-05-24T21:28:00.005+02:00

After fighting a bloody war with an old (broken) database with (partial) latin1 character encoding, a server with utf8 and partially broken support in Ruby plugins for UTF-8 in MySQL, I gave up.

If you have databases that give odd characters, the only thing that worked for me in the is to manually sed out all brokenness from a dump of the old database.

Dump your old database, run the following script over it, and re-import it into a utf8 database.

Link

Gnome3, what's to like and what is not...

2011-04-06T23:23:00.006+02:00

So here is a simple list I keep for myself, listing what I like about Gnome 3 and what I do not like.

Like

Clean interface
Click on an already opened app in the application menu switches you to that app
Good sized grippy for resizing windows

Do not like

My external drive (xfs filesystem) gets mounted automatically, but cleanly unmounting it seems to require clicking through the application menu to the disk utility or nautilus and then to the device in order to click 'unmount' or opening a shell and doing it manually: no icon on desktop, no applet, no readily available application to do this
~~CPU for gnome-shell is around 20% constantly, even if I don't do anything (after today's updates, gnome-shell is down to about 8%, but Xorg is still between 15% and 20% most of the time...)~~ This seems to have been fixed :)
May call for revival of gkrellm, because the gnome-panel based system-monitor is no more
Click on an already opened app in the application menu switches you to that app. I'm putting this in both the 'like' and 'hate' columns. Why? Because I like it when new windows open in new Firefox tabs in the window that already was open. But I *hate* it when I click 'Terminal' and get shoved to the desktop where there was one running already. Needs to get a blacklist of some sorts where we can say: "no, for terminals, *always* open a new one". Or something like that.

Jury's still out

Size of the icons in application chooser (too big?)
Size of the window decoration is a bit big and eating too much screen real estate?

I must say, I kinda like it. I do predict there will be a large demand for a program like TweakUI in the near future (damn' it's been a long time since I mentioned that program to anyone). Taking away some clutter is good, but take away all settings and people will try and find new ways to tweak what you tried to hide from sight :)

Cyanogenmod on my Milestone

2011-03-21T11:32:00.005+01:00

After Motorola finally released the Froyo update for the Motorola Milestone, a lot of people were *very* eager to update and taste some frozen yoghurty goodness. I was one of them.

Alas, the Froyo update for the Milestone was big disappointment, and that is putting it mildly. It's slow, it doesn't offer much news, and it still has the locked bootloader. I'm not sure what Motorola is trying to do, but if it is scaring away your tech-savvy customers, they are pretty close to a magnificent success.

So I tried to find some time to check out the several mods that exist for the Milestone, like FroyoMod and Cyanogenmod. It was a bit of a hassle, due to the bootloader crap, but in the end I managed to check them both out. FroyoMod didn't really work for me (probably due to me not completely resetting the phone), but Cyanogenmod was fantastic. It's wonderful. It's great.

Previously, my phone ran a pretty buggy 2.1-update1 firmware, that caused random boots, terrible voice quality. Of course, I put that 2.1-update1 firmware on there myself. I did that fairly soon after I bought the device and thought nothing more of it. I expected bad hardware, not bad software, caused the rebooting and terrible voice quality, but I was too lazy to look into it. :P

Cyanogenmod, however, is fast, offers *great* voice quality, does not reboot several times every day and is has the Motorola crap ripped out. I love it.

Now, today, a day after I first loaded a mod onto my Milestone, I learned the bootloader encryption key has been cracked. Praise be. Fully custom ROMs are on the horizon. It'll be a cold day in hell before I next buy a crippled Motorole phone, though.

Update: bugger... apparently we have all been fooled. The bootloader is still locked :(

Resume from suspend broken on recent Fedora, Ubuntu, Arch (and maybe more)

2010-10-18T12:38:00.000+02:00

So I was testing out the most recent Fedora 14 beta on my Sony Vaio FW21E and found that though suspend itself seemed to work fine, resuming did not. Pressing the power button to resume from suspend resulted in a complete lukewarm boot.

A bit of Googling showed that there a good many people suffering from this. There are posts on the Ubuntu forums and the Arch Linux forums about it. Apparently, a kernel patch regarding ACPI introduced during the development of 2.6.35 broke stuff a bit for some hardware.

Luckily, upstream has already noticed this. If you pass acpi_sleep=nonvs to the kernel command line, resuming from suspend will work nicely again. An automatic fix will be in 2.6.36: devices needing the acpi_sleep=nonvs option will be blacklisted, so manual correction will not be necessary anymore.

To fix this on Fedora and Arch Linux running the old 0.97 version of grub, you can just edit /boot/grub/grub.conf and add the acpi_sleep=nonvs to the end of the 'kernel' line.

On Ubuntu, running the newer grub2 bootloader, you should edit /etc/default/grub and add acpi_sleep=nonvs to the end of the line for the GRUB_CMDLINE_LINUX_DEFAULT variable. After that, run 'sudo update-grub' to make things permanent.

Many of the people reporting this problem on the forums have Sony hardware, though I did see some other things, like Dell passing by.

Happy suspending!

Trying to get away from Flickr

2010-09-05T08:01:00.000+02:00

I created a Flickr account in '05, that is five years back. In the meantime, I have uploaded a huge amount of photo's to it. Last year, in between all the 'Microsoft will take over Yahoo' rumors, I tried to get away, just to see whether I could go without Flickr or that Flickr would prove to be just too good.

It *is* just too good. Over the past year, I tried - in random order - Picasa, Ipernity and Zooomr. Neither of them is even close to Flickr. Here's why.

First Picasa. Much as I like Google for most of its services (I'll skip the political issues), Picasa is just plain wrong. It lacks just about every feature that makes Flickr neat. I'm actually sorry I paid for this. It's just no good. Picasa development for Linux is *way* too slow and running Picasa on Wine sucks.

Then Ipernity. Ipernity is in just about every aspect a Flickr clone and yet still it lacks. It lacks in the fact that there is no working Python SDK for it and the fact that its community is just not the same as Flickrs. That last part is subjective, of course, but it is the feeling Ipernity left me with.

Last is Zooomr. Although Zooomr is a nice project and I have a Pro account for it for free (used it to post my blog pictures a while back), I hardly use it anymore. Why? Because it's more broken than not (at least, it used to be) and doesn't feel nearly as intuitive as Flickr, Picasa and Ipernity. It feels messy. Also, it is often 'closed because of the impending next big release'.

But Flickr has a great community, a host of third party apps (for making prints or t-shirts or calendars, you name it), a good feature set, SDK's, uploading tools that work on Linux and it works *all the time*. So from today, I'm back on Flickr. I tried to get away, but is just too good.

This is where the net goes without neutrality

2010-06-21T09:15:00.000+02:00

How does this look as a future ad for an ISP? This is where we'll go without netneutrality. Like it? I figure you do not. Netneutrality is important for everyone, not just us geeks.

from: http://respectmyprivacy.net/respect-my-privacy

Clicky keyboard forevah!

2010-06-01T14:25:00.001+02:00

A couple of months ago, I had this conversation with one of my buddies at work about keyboards. I told him I used to have an old IBM keyboard at one of my previous jobs, that I had loved it and that I missed it :'(

The next day or so, he brought me an ancient IBM model M keyboard he had lying around. It's a wonderful piece of mechanics (yes, mechanics, not - or hardly - electronics). According a Wikipedia article about the Model M, this one is approximately between 15 and 18 years old.

Between the time this keyboard was made, I have gone through at least 2 Microsoft Natural Keyboard Pro's, a Microsoft Natural Keyboard Pro OEM, a wireless piece of Microsoft keyboard junk, some Logitech PoS and another, slightly bent, Microsoft keyboard. Strangely, as much as I am a Linux ~~fanatic~~ lover, I kinda like Microsoft's hardware. Maybe they should specialize in that and leave making operating systems to the adults. ;-) But even though I liked some of the above keyboards (especially the Natural Keyboard Pro's), they all pretty much died under the heavy usage I submitted them to.

This IBM wonder here is way, *way* older and still functions brilliantly. The only downside is the noise it makes when used, but that's of course also part of it's high cool-factor.

Anyway, the Model M my buddy gave me was old. Dirty and old. So I have been looking for an opportunity to clean it and last Sunday, it finally arrived.

First, I started popping off all of the letter caps. I still couldn't quite get underneath the keys though, so I just took them all off, revealing 15 to 18 years of dust and, well, let's just leave it at 'dust, etc.' ;-) The spacebar seems to have had a thing metal wire attached to it, with some sort of metal clamp. I'm not sure what the wire was supposed to do. The wire disappears into the keyboard. I don't exactly know where it goes. If someone knows what the wire is for, please leave a comment. I broke the wire when I took off the spacebar >:)

Next, armed with a kitchen rag and some nice chemical kitchen cleaner, I viciously attacked the dirt on the keyboard, but not before having dealt the first blow using the almighty vacuum cleaner. This left my keyboard in a fairly clean state.

After I popped off all of the letter caps from the plasic feet they're attached to, I just dropped all of them in the sink and drowned them with hot water and Dreft. Dreft always delivers :-) When I fished them out, they were mostly clean, so I just left them to dry on an old towel in the study.

If you are still reading at this point: get a life. A guy is telling you the most boring story ever about how he cleaned this keyboard. Sheesh... :P

A good 20 minutes of puzzling later, I had myself a pretty, clean, working and noisy IBM model M keyboard. I love it. I'm typing this post on it now (the main reason I'm writing this is to check all the keys and whether it feels right. It does, btw).

Jeroen, thanks man. Nothing beats the Model M!

ig Content's dystopian wish-list for the US gov't (boingboing.net reblog)

2010-04-15T16:35:00.000+02:00

Trying to expose as many people as possible to some utterly, utterly insane, ridiculous and infuriating things the MPAA and the RIAA want the US government to do. Maybe we should all stop listing, watching and buying DVD's and CD's altogether...

Un-be-lievable.

http://www.boingboing.net/2010/04/15/big-contents-dystopi.html

Stop ACTA!

2010-04-13T00:10:00.006+02:00

Als je nog nooit van ACTA gehoord hebt, wordt het tijd dat je er iets over leest. Echt. Zoveel tijd is er niet meer. ACTA kan in potentie een groot deel van de verworvenheden van de laatste 50 jaar teniet doen.

Download Red Hat VirtIO drivers for Windows

2009-11-26T20:58:00.004+01:00

Heh. I've been on the CC list for #489376 for quite some time. Actually, I had all but completely forgotten about it. I stumbled into it today, when browsing through Red Hat's bugzilla, searching for information about some other problems, and I clicked on a link that I had clicked a thousand times. It was a link to the Red Hat 5.4 KVM documentation. And whaddayaknow: even though the bug report is still marked as RELEASE_PENDING and even though the WHQL page at linux-kvm.org still lists a couple of zip-files, the drivers are already in what is called the Windows Server Catalog. So, what are you waiting for? Go test them!

Problem is, I have no idea whatsoever, on how to download them :-) Maybe I should touch a Windows box every now and then.

The fglrx debacle, or: the future of proprietary drivers in Linux

2009-08-18T13:27:00.004+02:00

First of all, let me state here once and for all that I appreciate ATI's and AMD's effort in bringing the Catalyst drivers to Linux, how meager the quality of the driver might be: if it wasn't for ATI and AMD, we would have nothing at all. And you have got to applaud AMD's releasing of documentation to the radeonhd project.

Now, to the point. It has taken the fglrx guys almost 6 months to bring 2.6.29 support and now that they did bring it, it does not work on the one distro that uses a 2.6.29 kernel: Fedora 11.

Apart from that, it seems to be pretty hard to code the fglrx driver towards the new X architecture in F11. I'm in a bit of a rush now, but to me it seems that this proves the days of the proprietary driver and coming to an end. The pace with which open source software develops will in the end too fast for most hardware manufacturers. The only thing that remains then is to depend on open source projects to provide drivers, like radeonhd. If AMD would put a bit more effort in supporting the radeonhd project, even with coders possibly, I feel radeonhd would be up to par in a relatively short time. And that would mean a more stable, more portable, more rapidly developing, more open driver for ATI graphics cards. Now, who would not want that?ra

Brein succeeds in blocking TPB in the Netherlands

2009-07-31T08:36:00.011+02:00

Brein just scored a major win against The Pirate Bay, as a Dutch court ruled that TPB had to block Dutch users from the website. (Linked sites mostly in Dutch; Brein is the Netherlands' equivalent of the RIAA, mixed with the MPAA and then some.)

I am not amused. Not only is Brein's move utterly futile, it will further alienate users, it is censorship and it is showing again that the entertainment industry refuses to enter the 21st century.

Let me explain myself.

First of all, Brein's move in having TPB blocked is futile in their grand scheme of things. Why? Because TPB is only one of such sites. And there are not a few of them, there's dozens of them and with each one that goes down and two new ones will pop up. Thus what Brein is doing, is showing it's overlords that it is doing it's job. No more, no less. Futile.

What is Brein's job anyway? It is to protect the rights of the entertainment industry. Let's see how much protection they already have and how much they actually need. To start with, consumers in the Netherlands pay a levy on most digital and analogue media to Stichting Thuiskopie. With prices of about €0.60, currently the largest part of the price of an empty DVD, is Thuiskopie's levy. Thuiskopie is supposed to compensate artists for the fact that is actually legal in the Netherlands to make a copy of original media for personal use. Good idea? Well, partly. Biggest problem is that Thuiskopie doesn't actually function that well. As Thuiskopie receives money from consumers like you and me, it has proved to be unable to pay out the compensation moneys to artists.

Making a copy of an original work for personal use - the so-called 'thuiskopie' - is considered fair use and the entertainment industry is properly compensated for it. Or at least, it could be, if it's Stichting Thuiskopie would be able to do half a decent job. But it isn't and that really is not my problem.

Now for how much protection the entertainment industry actually needs or should get. First of all, let me put forward that I think that the artists are the ones who should receive my cash if I decide to buy music. If we take a look at how we tended to spend our money on entertainment products in 2008, we'll see that the music industry's profits over 2008 are actually up! So much for the sad stories about how profits decline and artists are left without income due to piracy. But wait, there is more: we actually spent less on recorded music and more on live performances. That is really interesting, because most artists get the better part of their income from the concerts they give and much less so from selling CD's. Our money actually landed where it is supposed to over 2008! Good news!

Not for record companies of course. They are the ones who reap the profits of CD sales. But still, the music industry as a whole was up last year, so I'd say there is protection enough.

I think knowledge of the above is bound to drive consumers away from the traditional record companies as most consumers will view it as unfair to first pay a compensation levy and then hear over and over that what you do is wrong. I even think that the levy is regarded as having paid for the right to copy and download digital works. Even though I understand that's not quite what the levy was intended for, I do understand the reasoning.

Finally, and I consider this to be the worst part of the outcome Brein's successful campaign, blocking a website is morally wrong. It is censorship. For the benefit on a few companies, who failed to update their business model for too long, we are tampering with freedom of speech! Freedom of speech, people, is sacred. That is why we try not to interpret it too much. Freedom of speech is as absolute and broad as is, well, as is possible.

Their are a few exceptions and even over those exceptions there has been (and still is) a lot of debate. Things that are utterly criminal, like outings of child abuse or enticement to terrorist activity are part of those exceptions and thus illegal, and -imho- justly so. But even attempts to outright insult another person (or organisation, or religion, or whatever) have to be pretty harsh to not be covered by the freedom of speech. Which, too, is good, imho.

What we see happening now, is that for the profitability of a few companies with nearly obsolete business models, we start accepting censorship of the internet. Profitability can never, ever come in the way of free speech.

I know a lot of people will now object with 'but showing links to download copyrighted material is not covered by the freedom of speech'. Ah, but it is. At least, according to article 10 of the European Convention on Human Rights, which goes above most law in European countries. Needless to say, that most constitutions of western countries implement the freedom of speech as well.

Reading that text, it seems that the freedom of speech and the freedom to express oneself are (almost) absolute. The ECHR does allow for some restrictions, but those restrictions should always be '[...] necessary in a democratic society'.

Now ask yourself: who is society?

Disclaimer: I hold the opinion that censoring is almost always morally wrong. However, I do not refuse to pay for music, video or other forms of digital entertainment. I do refuse to have large corporations dictate law and allow censorship of the internet on their behalf. Yes, the internet is an anarchy. Let's keep it that way as much as possible, because that was the root of it's success. Spend your money on concerts instead of CD's. Bring it to the ones that actually make the music.

vmware-any-any-patches: the one list, part two

2009-07-06T20:52:00.001+02:00

Trying to get VMware Workstation 6.5 and / or VMware Player to work in Fedora 11? I hear this thread on the VMware forums will help you out.

I switched to KVM months ago myself. Consider this a courtesy update to my 'one list' for vmware-any-any patches ;-)

Prism on Fedora

2009-05-11T10:30:00.002+02:00

Finally: a new version of Prism.

I have been doubting whether to make rpm's for prism for my Fedora install or waiting for the Prism team to release a version of the extension that works on the Firefox 3.5 beta's.

I'm glad the team released the extension before I got to deciding to build the application myself. Saves me from a lot of work and it *finally* gives me the option of having a gmail menu option in Fedora :)

Edit: you might want to have a link to go with this post

Linux pro trying out an Windows 7RC installation

2009-05-05T15:01:00.006+02:00

In a previous life, I worked for a huge Dutch IT consulting corporation. This was back when I started in IT (well not really, but at least I didn't have any certifications), so they required me to go on MCSA training. I completed all the courses and exams successfully, so apart from being pretty well qualified on Linux, I am actually an MCSA on Windows 2003, too. Don't tell anyone, I'd really like this to remain a secret between us.

So anyway, they see to keep your friends close, but enemies closer. Therefore I decided to give the RC for Windows 7 a spin. Not really, of course, but in a KVM virtual machine on my laptop running Fedora 11 to my full satisfaction.

I downloaded the ISO, got me a serial and read the requirements. The first thing I noticed, was the fact that the system requirements aren't all that steep. I'm not sure what that means for the performance inside a VM (and actually performance in general, remembering the Vista class action suit), but then again, I'm only test driving it.

What did stand out in the requirements was the fact that I had to have 16GB (what??) available in free disk space. Now, I do have space. Lots of it. But 16GB? What the heck does an OS without any extras (like Office applications, photo editing software, etc.) need 16GB for?

Then, whence installing, I noticed the installer partitioning my disk with a 100MB partition of the "System"-type and the rest as the "primary" partition. I'm pretty sure from my endeavors with fdisk, that there is not such thing as a partition of the "System"-type. I'm downloading a Knoppix image right now to find out what Windows thinks is a partition of the "System"-type. Maybe it's /boot? ;-)

There is no 'Use whole disk' or 'Do this automatically for me' button, but the 'New' button functions more or less as one of those.

The actual "Installing Windows" screen shows a couple of steps, which take a while to go through but nothing extreme. There is something listed called 'Installing features', though, which made me wonder what the other 'Install' items were doing.

Then there is a reboot, and 'Setup is updating registry settings' and 'Setup is starting services' screens.

After that, we're back in the "Installing Windows" screen, where 'Completing installation' is highlighted. Processor is at 100%, screen flickers a bit, hardware detection going on.

After another reboot, 'Setup is preparing my computer for first use' and I am asked for my username and a password (and a password hint? what?) in a second screen. In the next screen we enter the serial. Apparently, MS still has an Activation scheme going on, because Windows 7 wants to 'activate' itself when I'm online. Mmh. I don't really like that stuff. So let's not, for now.

I like the fact that an update scheme is presented to the user, which makes security a more prominent issue in Windows. Timezone picking is next, followed by a computer location selection screen. I wasn't familiar with this. I am supposed to pick from 'Home network', 'Work network' and 'Public network'. I imagine this affects default firewall settings and stuff, but a bit more detailed description of the three options would have been nice for people that have a clue and would like to know what happens under the hood. What is good, is that 'Public network' (and thus high secutiry, I think) is recommended. I select 'Home network'.

After this, setup goes on 'Preparing my desktop' and there we are. Notice there is no last reboot in between. The desktop instantly made me think 'hey, this looks like KDE4'. It has a broad taskbar and huge icons, just like default KDE4.

IE asks me what search provider I want to use, which is good. It then start babbling about 'accelerators' and 'web slices'. I am clueless about what those are, so I turn them off. CTRL-L still acts retarded on Windows, sadly.

The layout of the control panel looks cluttered, but there is a search option, so I finally got to see what this UAC thing is, everybody was so mad about.

At this point, I started to loose interest. I tried a reboot to check boot speed and I must say, Windows 7 boots pretty quick. It lost my network settings though, again asking me the 'Home network', 'Work network' etc. question.

Final remarks: the KVM soundcard, that works fine in Windows XP, doesn't seem to work. The actual amount of disk space Windows 7 takes is well over 7GB. I don't know what the 16GB requirement was for then. Otoh, 7GB? For an operating system without office applications and such? What? That's insane! There's the system32 directory holding almost 2GB, but the big whopper is the winsxs directory with almost 4GB. I read this directory has something to do with compatibility and resolving problems with dll hell, so it probably has its uses, but 7GB for an OS? Wow.

I rebooted once more into the Knoppix Live environment. The 'System'-type partition is just a normal type '7' HPFS/NTFS filesystem, just like the main partition. The difference is that the 'System'-partition is bootable, which actually *does* make it a bit like a /boot partition. Oh well, copying is a form of flattery.

Ok, enough played. I'm shutting down the VM and going to do some actual work here.

Monoless Fedora? UPDATED

2009-04-30T21:28:00.006+02:00

Mono, mono, mono. If there has been one project to divide the free software community over the past couple of years, it is Mono. By itself, Mono is just an implementation of C#, the CLR and some more programs making up the .Net toolchain. C# and the CLR are not much different from Java in concept. Both provide a cross-platform programming language and runtime environment, both are licensed under an open source license. No problems so far.

The trouble starts where Mono actually attempts to provide compatibility between Windows and other operating systems. A pure Mono application like Tomboy is unlikely to be harmed by this. The problematic part arises from the fact that Microsoft hasn't submitted all parts of the .Net stack to ECMA. So attempting actual compatibility can become dangerous. Microsoft doesn't exactly have a clean track record on the field of fair competition, so one has to wonder whether it is likely for Microsoft to use its patents to stop the Mono project when it becomes too successful.

Remember, in this context, that Microsoft has promised not to sue Novell and its customers for infringement with regard to Mono. According to Miguel de Icaza, this promise extends to Novell, its customers and its developers. When we read this the other way around, it does *not* extend to Mono users who are not affiliated to Novell. This scares me. You'll have to decide for yourself in howfar this scares you.

Now imagine Mono-based software is pushed into the popular distributions on a larger scale. It would be possible to replace a pretty large amount of readily available programs with Mono-based counterparts. Think Banshee, Beagle, Gnome Do, F-Spot, Tomboy, Muine, just to name a few.

And now image Microsoft legally pulling the plug on (parts of) the Mono project, taking the whole Mono eco-system with it, just when people got used to Mono-based programs. Ouch.

I'm not saying that that problem would be insurmountable. Au contraire: it'll probably create a huge drive in creating non-Mono alternatives. But it will hurt us. And it is unnecessary: we have C, C++, Java, and Python-programs right now.

Personally, I don't really like the whole Mono thing. I think the whole interoperability business is bogus. I think we do not need Mono. In fact, I think the whole Mono project is redundant and that it should be looked upon with great suspicion. I may be overstating it a bit, but having been in this business for quite some time, I know that old dogs never learn new tricks. To quote admiral Ackbar: "It's a trap!"

Let's not put any more Mono-software in Gnome. And yes, let's support initiatives like gnote that provide alternatives to already established Mono-programs.

Anyway, if you want to rid you Fedora box of Mono, this aught to do it:

# rpm -e mono-web monodoc mono-addins mono-winforms mono-data-sqlite mono-data mono-extras f-spot tomboy mono-core gnome-sharp gnome-desktop-sharp gtk-sharp2 ndesk-dbus ndesk-dbus-glib gtk-sharp2-devel

Just install gnote as a Tomboy replacement, move .tomboy to .gnote and you're done.

UPDATE: It seems the guys at Fedora are on the same track and are pondering the replacement of Tomboy with gnote. And personally, I love them for it.

RHCDS certified!

2009-04-25T22:40:00.002+02:00

I just received word that I passed the RH436 exam (Clustering & Storage) last Friday. Pretty happy with the score again :-)

RH436 was the last exam I needed for my "Red Hat Certified Datacenter Specialist" title, so as of today, I am a RHCDS!

Bye bye Last.fm, Hello Deezer.com!

2009-03-25T12:46:00.002+01:00

In a couple of days, Last.fm will be starting to charge users outside the US, UK and Germany for on-demand radio on their website. I used to be a Last.fm subscriber, but I'm dropping their service like a hot potato for this.

It's not that I think that you shouldn't be paying for a webservice. It's just that I don't like being the one paying to make something free for someone else. Especially is the other person is not of the needy kind. That is what this feels like.

Someone on /. posted a comment refering to deezer.com. Hadn't heard of it, checked it out, saw it was cool, dropped last.fm like it had an STD.

Weave: your bookmarks in the cloud

2009-03-17T13:04:00.003+01:00

In the past, I have used del.icio.us, Google Bookmarks and a host of other service to sync my bookmarks between installations of Firefox. In the end, I always quit using them pretty quickly (well, for synchronization at least, I'm still using Google Bookmarks for other stuff). I usually quit them because in the end, they didn't work. For example, del.icio.us (and Google Bookmarks) use tags to order your bookmarks. By itself pretty cool and very 21st century. Firefox however doesn't have a very useful interface for using a lot of tags. I have nearly 200 tags registered in my Google Bookmarks account. No problem for a web-based service like Google Bookmarks, but not very useful when you have a single column bookmarks menu in Firefox. I now tend to use Google Bookmarks for sites I need to be able to find again or sites that are an interesting read for later on. I still use the bookmarks menu in Firefox as my default bookmarking service.

Enter Weave. Weave is a Firefox extension / service from Mozilla Labs that lets you sync bookmarks, history etc. between Firefox installations. It needs Firefox 3.1b3 at the moment, so it's pretty bleeding edge. Nice feature is the fact that your stuff is stored encrypted by a passphrase you to supply when registering.

Now, imagine you have a Fennec installation on a small form-factor device. Fennec has Weave too, so I can use my main Firefox bookmarks, history, yes even tabs on the Fennec browser on my N800. I know Opera also has a feature like this, but I've never felt comfortable with Opera, so that just won't do. Besides, there is no Opera for my N800 :-)

So, to make a long story short: keep your eyes open for Weave.

I hacked my Vaio!

2009-03-08T13:04:00.004+01:00

Yessiree! With a little help of some tools made by some great mind, I managed to flash the BIOS of my Vaio with some bytes changed. I readily admit it was *very* scary, but in the end it worked and now I have Intel VT working on my VGN-FW21E.

No thanks to Sony support, of course. I have had several email conversations with them, but in the end they always said: 'look, we don't support this and therefore we do not know how to turn it on'. With that they conveniently forgot they were the ones to build the stupid and broken BIOS image in the first place...

Anyway, if you own an Vaio from the FW-series (or a few other types), you might want to read this thread on the forums of notebookreview.com. It fixed my problem!

I can *finally* run kvm on this things, which is the one thing I originally bought it for!


$ lsmod | grep kvm
kvm_intel              52944  1
kvm                   137976  1 kvm_intel

VMworld Europe 2009 update

2009-02-25T18:01:00.005+01:00

I had envisioned me posting regular updates about stuff I see here at VMworld, but my schedule is so busy (and WiFi coverage at the Palais so crappy), that I ended up doing this first post after almost two days in my room back at the hotel.

To start of with the good stuff: I have heard very interesting things today. VirtualCenter (now rebranded vCenter, apparently) is in the process of being ported to Linux. It's mainly the vCenter backend that's ported, not the VI Client, but this does allow for making vCenter an appliance and running it on a *solid* platform (e.g. not Windows). The demo was very convincing. So much so even, that some wondered out loud whether a Windows version of vCenter would even be needed anymore. And the best news is, that vCenter will eventually support MySQL and / or PostgreSQL as it's database. Can I hear a 'w00t!'?

Notice VMware ported vCenter to Linux because of customer demand and because people are uncomfortable with running mission critical apps on Windows. All in all good news for us penguins!

Anyway, there was other news too. I went to a demonstration of SUSE Studio, which was actually pretty cool. I hope I get my account for the alpha version soon: I would love to try this out. SUSE Studio is a framework that lets you easily create apppliances based on either SLES or OpenSUSE. It features impressive things, like being able to set up a database with a prebuilt schema during this process, without having to actually configure the machine. It's all done for you.

I've also heard VMware devs talk about paravirtualized SCSI drivers (and devices), VMkernel development, private VLAN's, IPv6 support for the whole VMware software stack (that includes the service console and the VMkernel ports, contrary to the current situation) and loads of performance enhancements for ESX.

Now if only they'd drop the idea that removing the service console is the right way to go...

Red Hat announced RHEV a couple of days ago. And even though I remember a recent Slashdot comment saying Red Hat was leagues behind the rest of the field, I think they are just getting started. RHEV looks *really* promising to me.

There have been some things that were a bit annoying here as well. As a a lot of money has been paid for me to be here, I would have expected to be able to attend every session I wanted to. Some of the more interesting sessions, however, were held in extremely cramped, small, awfully hot rooms. People were sent away because the rooms were full at more than one occasion. This was worse on Monday than on Tuesday, so let's assume the organization learned a bit overnight, but it still was pretty irritating.

The food's good though and so was the VMware Benelux party last night. Time to go take a shower and get ready for the VMworld party tonight :)

Major stride in becoming RHCA!

2009-02-20T15:21:00.004+01:00

Hallelujah! I just passed the RH442 exam, which is my third one on my way to becoming a Red Hat Certified Architect. Three down, two to go!

And I'm pretty proud of my scores too :-)