Wednesday, March 14, 2012

Samba as an AD member server

The purpose is to allow Unix/Linux administrators to use their skills and knowledge to provide file and print services while still playing nicely with the campus domain. These steps apply to Debian Lenny, using packages out of the stable distribution (no third party repositories.)
Install the necessary packages:

aptitude install samba smbclient winbind krb5-user krb5-doc krb5-config ntp
 
Edit /etc/resolv.conf to point to the AD DNS:


search some.edu
nameserver 192.168.1.11
 
Test forward and reverse lookups, resolve any problems before moving on.

Edit /etc/ntp.conf:


server ad.some.edu
#comment out the other default time servers
 
If your time is way off, you can stop the ntp service and use ntpdate to set the clock then restart ntp.

If you are running a xen virtual machine, you will need to do the following to free the system clock from the dom0 clock. In my install, the guest clock was fixed incorrectly to the host clock, being off by about 7 minutes without a way to reconcile the two. This will work for the guest:

Edit /etc/sysctl.conf and add the line:

xen.independent_wallclock=1
 
Edit the guest configuration file on the dom0 by adding the line:

extra="clocksource=jiffies"
 
Back to the samba configuration. Edit smb.conf to look similar to this:


[global]
unix charset = LOCALE
workgroup = SOME
realm = SOME.EDU
netbios name = mysuperawesomesambaserver
server string = My File Server
allow trusted domains = No
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap backend = rid:SOME=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
template shell = /bin/bash
printing = cups
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

[My Share]
comment = Work files
path = /shares/myshare
valid users = @"SOME\some_group"
read only = No
browseable = Yes

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = root, Administrator
write list = root
 
Edit nsswitch.conf to use winbind:


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns wins
networks:       files dns

protocols:      files
services:       files
ethers:         files
rpc:            files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
 
Edit krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SOME.EDU
dns_lookup_realm = false
dns_lookup_kdc = true

[appdefaults]
pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

[realms]
SOME.EDU = {
    kdc = ad.some.edu
    admin_server = ad.some.edu
}
 
Delete /etc/samba/secrets.tdb if it exists and then delete the cache files:


rm /var/lib/samba/*tdb
 
Test your smb.conf with testparm, clear up any errors before proceeding. Matter of fact, this is a good time to make sure that Kerberos is working. Issue the following:

kinit yourusername@SOME.EDU
 
Enter your password when prompted, then check your ticket with

klist
 
If you have any problems with getting a ticket, back up and check your krb5.conf settings.

Once all the above is sorted out, it's time to join the domain. Run the following at the prompt to put the computer in a specific container:


net ads join mycontainer\/innercontainer -U userwithjoinprivs -W SOME -S ad.some.edu
 
There is a very good chance that will fail. If it does, use the AD Users and Computers snap in to add the computer account manually to the correct container. Then run the same command without the path to the container:


net ads join -U userwithjoinprivs -W SOME -S ad.some.edu
 
It should work because now it doesn't have to try to sort out the correct path. However, you will get a DNS error message about not being able to update the record. Go back to the Users and Computers snap in and change the name from 'localhost' to the proper name by right clicking on the computer, click on 'Properties' and use the Attribute Editor, changing the appropriate field. The actual DNS record will have to be added by a domain admin, both forward and reverse entries.

Test your join with:


net ads testjoin
 
Make sure you can see domain users and groups and that the secret handshake has been made:


# List of users
wbinfo -u
# List of groups
wbinfo -g
# Secret handshake status
wbinfo -t
 
Check that NSS is working properly:


getent passwd
getent group
 
You should see local and domain users and groups from the above. If not, check your nsswitch.conf and fix any errors.

Be patient, we're almost there. Two more tests, one to check Kerberos communication with the AD controller and one to check account lookups:


net ads info #Should output like below
LDAP server: 192.168.1.11
LDAP server name: ad.some.edu
Realm: SOME.EDU
Bind Path: dc=SOME,dc=EDU
LDAP port: 389
Server time: Wed, 22 Apr 2009 16:32:26 PDT
KDC server: 192.168.1.11
Server time offset: 0

#This command returns information on the status of the server
net ads status -U youraccount

So far, so good. If you set a group as a valid user above in the smb.conf for a share, then you'll need to create the group in the Users and Computers snap in and add your users to it. Test connecting to your share from the server with:

smbclient \\mysuperawesomesambaserver\myshare -Uyouraccount
 
Then get your firewall ports opened up to allow your VLANS access. You will need at least 445/tcp open and probably 135/tcp, 137/udp, 138/udp, and 139/tcp (I haven't tested the 13x ports yet, but my firewall rules have them open.) Once that is set, go to a client that is on the domain and see if you can connect to the share. If you can't, take note of the error message and see if you have skipped any steps above.
These steps are based on the resources below and experiences in setting up a samba member server. I will use these notes on the next install and make any revisions as necessary.

Resources

Samba documentation
Winbind how to
Procedures for net ads join
Some more samba stuff
Yet more samba stuff
Even more samba stuff
smbclient command reference
Microsoft net use reference
Samba and Debian how to (short)
smb.conf reference
Samba security documentation
Xen clock reference

Monday, March 5, 2012

Debian Squeeze upgrade problem with mdadm

Following the Debian release notes, chapter 4, everything should go fine until you perform the upgrade of the kernel and udev.  Because of big changes in the both, you will get a warning during generation of the initramfs that your mdadm devices do not have entries in mdadm.conf and that you should compare the output of /usr/share/mdadm/mkconf to /etc/mdadm/mdadm.conf.  The problem is that the mdadm.conf that has the wrong entries is the one made for the initramfs, not the one in /etc/mdadm/.  Comparing the two will show the same UUIDs.  I don't know what creates the config file for initramfs, but it uses the newer style of generating the last half of the UUID by hashing the hostname and not by scanning the superblocks for the actual UUID.  So, if you ignore the warning because the output of mkconf matches the contents of /etc/mdadm/mdadm.conf and then reboot, you will find yourself at a busybox prompt when the kernel can't find the root filesystem.  It can't find the root filesystem because it could not mount the md array that contains the lvm partition containing the root filesystem.

I don't know how to avoid this, but I do know how to fix it.  I had written down the md devices and the corresponding UUIDs in case I ran into trouble, so that helped.  I did not run `script` during the upgrade process, but that file would only have been useful during failure analysis.  Anyway, edit /etc/mdadm/mdadm.conf to have the correct UUID entries for your devices.  Save the file and then run

mdadm --assemble --scan

Check /dev to see that it is populated with your md devices, i.e., /dev/md0, /dev/md1, etc.  Then activate lvm volume groups:

vgchange -a y

Now you should have access to the root filesystem and can type 'exit' at the prompt to continue the boot process.

Once the system is up and running again, continue the upgrade process from the release notes.  I had to run apt-get upgrade twice because I got dpkg warnings about some packages not being installed/configured due to errors in post-installation scripts, loops between services, and the like.  I've seen this before and usually it will clean itself up once you run apt-get upgrade a second time.

Now if you check /etc/mdadm/mdadm.conf, you'll see that the UUIDs that the initramfs was trying to use are listed.  Set these to the correct UUIDs and regenerate the initramfs so that it can boot correctly in the future.

update-initramfs -u

You'll notice in section 4.5 that the mdadm gotcha isn't listed.  If you google for it, you'll see similar issues going back to when Squeeze was still in Testing.
Some mdadm/busybox and lvm recovery info.

Without knowing what script is doing the wrong thing regarding UUID, it may be possible to uncompress the initramfs and edit the file for the initial boot to avoid the busybox business.

Wednesday, February 22, 2012

Content moved from my old work blog

All of the posts added today are old posts from my work blog.  I don't work there anymore and I can't expect them to keep my account open forever, so here it is.  A lot of it is probably out of date, but it's a good reference for future issues.

Providing print services with Samba

The instructions are Debian Lenny-specific as far as installing packages, but the rest should be applicable to whatever inferior distribution of *nix you choose (just kidding.) These instructions do not cover using raw print queues in which the clients use their own driver to format the print job and CUPS passes the job as it is to the printer. That method does not work with quotas because page counting is done in the pstops filter. The print server is assumed to be on the same hardware as the samba server. If it isn’t, you’ll have to configure CUPS to accept jobs from the samba box and make changes to the smb.conf that point to the location of the CUPS server.

Software and Files

Start with a working Samba member server, then install the following packages:
aptitude install cups
aptitude install hplip
# HP laserjet PPDs for just about every HP LJ made. 
# Don't bother if you are not setting up an HP queue, of course.
 
If you aren’t setting up an HP printer, get a PPD for Windows NT/2000 for your printer and put it on your print server. You can use NT PPDs with CUPS without problems. You will need to get the following files from a Windows client, located in %WINDIR%\SYSTEM32\SPOOL\DRIVERS\W32X86\3 or %WINDIR%\SYSTEM32\SPOOL\DRIVERS\X64\3 on a 64 bit client:

ps5ui.dll
pscript.hlp
pscript.ntf
pscript5.dll
 
You will also need to get the following from http://www.cups.org/software.php, located in the cups-windows-6.0-source.tar.gz package (in the i386 folder):

cups6.inf (from www.cups.org)
cups6.ini (from www.cups.org)
cupsps6.dll (from www.cups.org)
cupsui6.dll (from www.cups.org)
 
Place all of those files, the CUPS and the Windows ones, in /usr/share/cups/drivers.

Set Up the Queues

CUPS can be left the way it is. As long as you are going to use samba for the front end, you don’t need to reconfigure CUPS to be available on the local network. By default, it listens on localhost only and that works just fine. There are two ways to set up CUPS print queues, the command line or the web interface. The web interface makes it ridiculously easy, so I recommend that method. I went to the Ken Han School of System Administration (“GUIs are for desktops, not servers”), so I use lynx:
lynx localhost:631
Then just click on links and select options from the drop down menus until you get your queue set up. There is are examples on proper entries for how you connect to your printer and a help page that gives more info. Most likely, you have an HP LaserJet with an embedded JetDirect , so you would enter

socket://192.168.1.10:9100
 
on the page that asks for how you connect to your printer. For a directly-connected USB printer, it should show up. If not, use lpinfo from the command line to get a list of available devices:

bullet:/home/matt# lpinfo -v
network socket
network beh
file cups-pdf:/
direct hal
direct hp:/usb/deskjet_5100?serial=ABC123456
direct hpfax
direct hp:/usb/HP_LaserJet_1022?serial=ABC123X35
network http
network ipp
network lpd
direct parallel:/dev/lp0
direct scsi
serial serial:/dev/ttyS0?baud=115200
network smb
 
See that file cups-pdf:/ entry? There is a cups-pdf package you can install so your clients can print to pdf and have the resulting file placed in some folder. That’ll be a future write up, but it is a pretty cool feature.

If you placed a Windows PPD on your server, you will need to enter the path to it on the page that asks you for the Manufacturer.

Check that you can send a test page to the printer once the queue has been set up. If the printer and server are in different VLANs, get the appropriate firewall port opened up. You will definitely need from the server to the printer, and may need to get SNMP from the printer to the server. I haven’t set up the latter, but I think it’s possible to get status reports from the printers that way.

smb.conf Entries

There is a link on the Administration page to Export to Samba. Don’t do this yet. Make sure your smb.conf has the following two sections in it:

[printers]
    comment = All Printers
    path = /var/spool/samba
    printer admin = root, "DOMAIN\yourauthorizeddomainuser"
    guest ok = Yes
    printable = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    admin users = root, "DOMAIN\yourauthorizeddomainuser"
    write list = root, "DOMAIN\yourauthorizeddomainuser"
 
The first is the share your clients get the print queues from, the second is a hidden share that holds the drivers. Check that the paths exist on your filesystem or change them to something more appropriate. You may not want the guest ok = Yes and you may want to make the printers share browseable, so make the appropriate changes. Save it then run testparm to make sure you haven’t messed up the config file.

Stop winbind, restart samba (smbd and nmbd), restart winbind.

Using rpcclient

Now to see if samba sees the queues.

rpcclient  mysambabox -U DOMAIN\\myauthorizeddomainuser
Password:
rpcclient $> enumprinters
    flags:[0x800000]
    name:[\\sambabox\hpljuh054]
    description:[\\sambabox\hpljuh054,,HP LaserJet P3005]
    comment:[HP LaserJet P3005]

    flags:[0x800000]
    name:[\\sambabox\hpljuh052]
    description:[\\sambabox\hpljuh052,,HP LaserJet 2430]
    comment:[HP LaserJet 2430]
 
In the description, the second entry is blank. That’s where the driver is listed after exporting the printer to samba via cupsaddsmb. At this stage, if you type in ‘enumdrivers’ at the rpcclient prompt you’ll get an error message. Type ‘exit’ to get out of the rpcclient prompt and go back to the CUPS web interface. Click on the Administration link, then click on Export Printers to Samba. Use the check boxes to select the printers you want to share, enter your DOMAIN\youraccount and password, click Export Printers to Samba and cross your fingers. If it failed, you go to a page that said the action was unsuccessful and a link to a less than useful log of what happened. Upon success, or partial success, you get a very encouraging page. Don’t believe it until you go back to the rpcclient prompt and verify everything was registered properly.

It's extremely important to use either a root account (if your samba server is part of a samba domain) or set the permissions on the print directories to be writable by the domain account used when exporting printers.  It is also necessary to grant printing privileges to the account being used to export printers.  Having insufficient rights will cause unhelpful error messages to be generated and lots of frustration.

rpcclient $> enumprinters
    flags:[0x800000]
    name:[\\sambabox\hpljuh054]
    description:[\\sambabox\hpljuh054,hpljuh054,HP LaserJet P3005]
    comment:[HP LaserJet P3005]

    flags:[0x800000]
    name:[\\sambabox\hpljuh052]
    description:[\\sambabox\hpljuh052,hpljuh052,HP LaserJet 2430]
    comment:[HP LaserJet 2430]
 
Now the driver name appears in the description. Check for the registered drivers with

rpcclient $> enumdrivers

[Windows NT x86]
Printer Driver Info 1:
    Driver Name: [UH054-LaserJet]

Printer Driver Info 1:
    Driver Name: [UH054LaserJet]

Printer Driver Info 1:
    Driver Name: [hpljuh054]

Printer Driver Info 1:
    Driver Name: [UH052LaserJet]

Printer Driver Info 1:
    Driver Name: [hpljuh052]

Printer Driver Info 1:
    Driver Name: [UH054-LaserJet]
 
Now you are ready to connect from a client. Connect to the share name listed above from a domain client and you should see a queue window pop up after a short delay. Drivers are downloaded automagically to the client with this set up, just like on a real Windows server.

Comments

This is the part where I warn you that you may follow the directions here and at the links below and still have issues. I think that samba sometimes emulates a Windows server too well and takes time for some things to register, which isn’t typical of a *nix service. I had a really hard time with exporting the queues from CUPS to samba. After moving on to another project for a few days and then finally getting back to finishing this one, it Just Worked(tm). I can’t tell you exactly what wasn’t working before or what made it work correctly in the end, as I just picked up where I left off and started the procedure fresh with success.

Update: I've since done this again on a completely different system and found that cupsaddsmb expects you to use a root/admin account in order to create /var/lib/samba/drivers/W32X86/3/ directory structure.  Seems obvious as it's consistent with samba to require the linux and Windows permissions to be correct, but it's easy to forget that your account on a Windows domain that has print admin privileges is not allowed to create directories.  This became very obvious when the LDAP root/admin account was deactivated and a Domain Admin account was unable to add printers.

This how-to gets you a pretty decent print server with basic features like auto driver download. Quotas can be established, delegated administrators can be declared for particular queues, and some other stuff can be done (like custom CUPS filters that reject jobs in certain formats, like .psd that students insist on plugging up queues with.)

Future Notes

Setting up quotas is next. The CUPS line is like this:

lpadmin -p myprinter -o job-quota-period=6048000 -o job-page-limit=150
 
The above can only be run after the queue is set up in CUPS as it modifies an existing queue. You can specify all of that stuff when you make the queue if you do it from the command line, but it is a hassle. The -p specifies the queue to modify and the -o flags set options on the queue. The job-quota-period is specified in seconds, so the above would be ten weeks, and the page-limit is of course per page. I have not tested this yet, when I do I’ll write up anything odd that needs to be done besides the above line.

There are a few things to keep in mind. Quotas apply to every user on a particular queue, you cannot specify one quota for faculty and one for students. For accurate page accounting, the job has to pass through the pstops filter. An image file typically goes through the imagetops filter and gets a default count of ’1.’ This isn’t terrible, as most images are one page anyway, but if someone manages to split an image file across multiple pages the count will be incorrect. Lastly, the print server does not give a very useful message when a user has reached their limit, something to the effect of ‘error sending job’ or something equally cryptic.

Resources

Samba Cups How-To
cupsaddsmb man page
PostScript

Disk-based virtual machine how to

Procedure for creating PV machines with Debian Etch amd64.  The procedure is much the same for Lenny, the differences are noted in each step.

Turn on HVM support in BIOS.  Of course, not necessary for PV, but then it’s on if you decide to do some HVM machines later.

The following assumes that you did a standard installation of Debian, using LVM with the guided partitioning scheme. Guided partitioning results in most of the disk space being allocated to the /home directory. If you do manual partitioning from the installer, skip to debootstrap.

Install xen, xen-hypervisor-3.2-1-<arch>.
Edit /boot/grub/menu.lst, adding “console=tty0 and console=hvc0″ to the end of the “module /boot/vmlinuz” line for the xen entries.  Also edit the inittab to have the following entries:

1:2345:respawn:/sbin/getty 38400 hvc0
2:23:respawn:/sbin/getty 38400 tty1 # I just commented out the original entries and changed 1 and 2 to match these.

Resize the /home partition.
umount /dev/debian0/home # substitute debian0 with the volume group name
e2fsck -f /dev/debian0/home
resize2fs /dev/debian0/home 4.5G # dirty way of ensuring you don’t stomp
lvreduce -L 5G /dev/debian0/home # the end of the file system
resize2fs /dev/debian0/home
mount -t ext3 /dev/debian0/home /home

Create a new partition in the freed space.
lvcreate -L 5G -n ns0 debian0 # -n (lv_name) vg_name
lvcreate -L 256M -n ns0-swap debian0
lvscan -v # make sure it’s there
mke2fs /dev/debian0/ns0
tune2fs -j /dev/debian0/ns0
mkswap /dev/debian0/ns0-swap
mount /dev/debian0/ns0 /mnt

Use debootstrap to install a minimal system on the partition. If you have a lot of VMs to make, you could run the following line, then tar up the /mnt directory and untar it in the next partition. Another option is to use the –make-tarball FILE option for debootstrap so you have a tar file of all the .debs locally and then use –unpack-tarball FILE when you do the next VM. Your mirror might thank you.

debootstrap etch /mnt http://debian.osuosl.org/debian # pick a mirror, use lenny instead to get the current stable

On the dom0, make sure (network-script network-bridge) and (vif-script vif-bridge) are uncommented for Lenny.  For Etch, I used (network-script network-dummy).  This gives you simple networking where the physical ethernet device and all of the virtual ethernet devices belonging to the domUs are attached to a virtual bridge once everything below gets configured.

Edit /mnt/etc/network/interfaces.
auto lo
iface lo inet loopback
Edit /mnt/etc/fstab.
proc /proc proc defaults 0 0
/dev/sda1 / ext3 defaults,errors=remount-ro 0 1
/dev/sda2 none swap sw 0 0

Unmount /mnt.
cd /
umount /mnt
Create a config file for the VM (/etc/xen/ns0.cfg).
# -*- mode: python; -*-
kernel = “/boot/vmlinuz-2.6.18-4-xen-amd64″ # put the appropriate kernel entry here
ramdisk = “/boot/initrd.img-2.6.18-4-xen-amd64″
memory = 256
name = “ns0″
vif = [ 'bridge=xenbr0']
disk = ['phy:/dev/debian0/ns0,sda1,w', 'phy:/dev/debian0/ns0-swap,sda2,w']
ip = “192.168.1.10″
netmask = “255.255.255.0″
gateway = “192.168.1.1″
hostname = “ns0″
root = “/dev/sda1 ro”
extra = “console=hvc0 xencons=tty” # console to serial, xencons sends display to vga

Start the domU.
xm create ns0.cfg -c

Log in as root (no password yet!), set a password. base-config is not installed by debootstrap, you have to do the following manually.

Set the timezone.
vi /etc/default/rcS # Set how hardware clock is interpreted, UTC or local
tzconfig

Lenny uses this instead:
dpkg-reconfigure tzdata

Configure networking through the following files (on the domU.)
vi /etc/network/interfaces
auto lo
iface lo inet loopback
# for static ip
auto eth0
iface eth0 inet static
address 192.168.1.10
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

vi /etc/resolv.conf
search some.com
nameserver 192.168.1.2
nameserver 192.168.1.3

vi /etc/hostname
myhostname

vi /etc/hosts
127.0.0.1 localhost myhostname
# the following is for IPv6 support
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


Set the hostname.
hostname myhostname

Make sure your networking is configured correctly.
/etc/init.d/networking restart
ping localhost
ping 192.168.1.10
ping 192.168.1.9 # whatever the dom0 is
ping 192.168.1.50 # some host outside of the box

Edit apt sources.
vi /etc/apt/sources.list
deb http://debian.osuosl.org/debian/ etch main
deb-src http://debian.osuosl.org/debian/ etch main
deb http://security.debian.org/ etch/updates main
deb-src http://security.debian.org/ etch/updates main

Run aptitude update.
Install locales and udev (debootstrap doesn’t install either and you’ll get error messages on a lenny system about no /dev/pty, which are probably harmless but annoying.)

aptitude install locales
dpkg-reconfigure locales
# pick en_US UTF-8
Debootstrap installs a minimal system, run tasksel to install a more complete system.
tasksel install standard

To check out configured volume groups:
vgdisplay

Helpful commands for Xen:
^] # CTRL-] To exit the domU console
xm console domUname # To reconnect to a console
shutdown -h now # To shutdown the VM from within the VM.
xm shutdown domUname # To shutdown from dom0.
xm create /path/to/config -c # Start a virtual machine and attach to its console.
xm destroy domUname # Stop a virtual machine dirty.
xm list # List all running VMs.
xm help

References:
Xen
http://wiki.xensource.com/xenwiki/XenFaq
http://wiki.xensource.com/xenwiki/DebianDomU
http://wiki.xensource.com/xenwiki/XenOnUbuntu64
http://www.debian-administration.org/articles/396

Debian
http://www.debian.org/releases/etch/alpha/apds03.html.en#id2549076
http://www.mail-archive.com/debian-alpha@lists.debian.org/msg24209.html
http://wiki.debian.org/Xen

LVM
http://riseuplabs.org/grimoire//storage/lvm2/#reducing_size

Prepping Sanako clients for Ghost management

Using Ghost to manage lab machines is really straight-forward when the clients are using fairly standard software; however, things get interesting fast when specialized software is required for the computers. The Multimedia Language Center in the World Languages Department has one lab set aside for the use of Tandberg/Sanako language learning software. The vendor did the initial installation around 1999, which involved a complicated hardware remote desktop system integrated with VCR and cassette decks in addition to a file server and a database server. There are 21 clients and one teacher console in the lab. These computers all communicate directly with the file server, which holds mp3 files of phrases spoken in various languages, and the database server, which actually serves as an intermediary between the clients and file server. That requires a little more explanation: the file server is directly accessible from all clients, however, the database server provides a front end to each client to ease searching for files. If students are sophisticated enough, they can skip the db, called Library Pilot. Most, if not all, use the Library Pilot. A recent upgrade to the Sanako software was installed by the vendor, which apparently now utilizes a software-based remote desktop. The new version required the use of Windows XP in order to take advantage of all the software features, so the old Dell GX110s were fitted with more memory to handle the additional operating system requirements. New hardware was purchased to fully update the lab: 22 Dell Optiplex 745s. This provided the opportunity to understand the interdependencies better and switch the lab over from Hard Drive Sheriff (files restored locally) to Ghost.

Having been down this path before, some difficulties were expected. I’ve had issues with Quark, SPSS, and a few other applications. It took a week of testing and resetting, and testing again to determine that the Teacher Console and the clients are the hardest to set up (well, not anymore.) The Teacher Console (TC) has a file that maps MAC addresses to station numbers, which are displayed in a grid in the main Lab 300 window. The client has to report from two applications what its station number is: rclnt and the Duo player. It is possible to call up rclnt -ui and set the station number manually, but this does not propagate to the Duo player. Installing from the TC, as described in the manual, runs through a wizard that asks for the station number and sets both properly. It is even possible to run the set up again after installation to set the station number. That’s no good for managing with Ghost. We want to get an image from one machine and have the rest set themselves automagically.

The keys that need to be set are:

HKLM\SOFTWARE\Sanako\Shared Components\NetCommPlatform\Client\Client ID REG_DWORD 0x0000000y (y = station number in hexadecimal)
HKLM\SOFTWARE\Sanako\Shared Components\Common\ToLabNumber REG_DWORD 0x0000000y
HKLM\SOFTWARE\Sanako\Lab\Lab300\Duo\Common\ToLabNumber REG_DWORD 0x0000000y



I have no experience with Visual Basic Scripting, so my first (and hopefully last, yuck) script is below. It is super simple, would benefit greatly from a little regex and variable substitution, and won’t get any more love because it works. In a generic form, here it is:

set objShell = WScript.CreateObject("WScript.Shell")
station = objShell.RegRead _
("HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")
if station = "Room#-01" Then
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Lab\Lab300\Duo\Common\ToLabNumber", 1, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\Common\ToLabNumber", 1, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\NetCommPlatform\Client\ClientId", 1,"REG_DWORD"
ElseIf station = "Room#-02" Then
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Lab\Lab300\Duo\Common\ToLabNumber", 2, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\Common\ToLabNumber", 2, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\NetCommPlatform\Client\ClientId", 2,"REG_DWORD"
...
ElseIf station = "Room#-21" Then
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Lab\Lab300\Duo\Common\ToLabNumber", 21, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\Common\ToLabNumber", 21, "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Shared Components\NetCommPlatform\Client\ClientId", 21,"REG_DWORD"
End If
objShell.RegWrite "HKLM\SOFTWARE\Sanako\Lab\Lab300\Duo\Path\Default Open Path", "\\someserver\someshare", "REG_SZ"

The client name is pulled from the ComputerName key, then a simple if/else block handles the rest. That’s how I roll when I can’t use a case block. Kidding, kidding. I used vbs because the script interpreter is built in and I thought that as much as I would have preferred to bust out a quick python script, this little task didn’t really justify installing the interpreter. That last line is the value of the default open path that appears when File->Open is selected in the Duo player.

The last thing to do is to add the Group Policy Object snap in to the MMC, open Computer Configuration->Windows Settings->Scripts, double click Startup, then click Add->Browse, find your script (I put it in the folder that Browse starts at), then click Apply. The script will run at each startup, it is small and fast enough that there isn’t really any performance hit on a 3.4GHz box to worry about :) If you are super uptight about those things, then configure it to run once and let it go. Just don’t forget to not run it before capturing an image.

If you are seeing weirdness like all the client requests showing up on the TC as station 1 or messages from the TC to the client going to the wrong client, double check your registry entries.

I have not configured the clients for Library Pilot. The media files are shared read-only and revert back to the top level of the share on each log in. I still have to figure out how to get it to revert after every use in the event that someone does not log out and someone else sits down to work (these are kiosk stations, no individual accounts). The other thing that I don’t have working is the intercom function between the TC and clients, but I suspect that this has to do with the hardware that integrates the VCR and cassette decks. One final note, Dell Optiplex 745s are not compatible with the Duo player because the onboard sound does not have a separate Microphone In. I used the Creative cards that were in the older Dell GX110s and they work fine.

As for firewall configuration, Sanako provides this document. The port numbers, off hand, are 6100, 6101, and 6102. I’ll have to verify these as I don’t have the notes handy.

Debian Etch and Xen

Debian Etch and Xen 3.0.3 on amd64
(based heavily on Debian Sid gets Xen 3.0)
This walk through will get you set up with the tools you need and the hard configuration stuff for getting file-backed virtual xen machines running.  If you want to run partition (disk)-based VMs, I have another page for that but you will still need to get a bunch of the packages listed here as well as setting up the interfaces file.  We will need the following packages:
xen-hypervisor-3.0.3-1-amd64
xen-utils-3.0.3-1
linux-image-2.6.18-3-xen-amd64
bridge-utils
iproute
sysfsutils
xen-tools
So here we go. Start with:
apt-get update
Then install the following (substituting a current kernel and package versions):
root@debian:~# apt-get install xen-hypervisor-3.0.3-1-amd64 xen-utils-3.0.3-1 linux-image-2.6.18-3-xen-amd64
I prefer to run stock kernels, if you want to run a custom kernel you are on your own. Check out the xen-users mailing list archives if you run in to trouble, the topic comes up occasionally. Once apt has done its thing, install the other necessary packages:
root@debian:~# apt-get install bridge-utils iproute sysfsutils xen-tools
The defaults in /etc/xen/xend-config.sxp are fine, we are going to change /etc/network/interfaces to handle networking. Open up your favorite editor and change /etc/network/interfaces, removing the eth0 entry and adding:
auto xenbr0
iface xenbr0 inet static
address 192.168.0.10
netmask 255.255.255.0
network 192.168.0.0
bridge_ports eth0
Reboot the machine and you are ready to use xen-tools. I will refer you to the end of Debian Sid gets Xen 3.0, I would just be copying it here.
The most difficult part in setting this up was the entry in /etc/network/interfaces, as I couldn’t find any documentation on it. I followed at least three separate threads on xen-users related to similar networking issues. A kind soul finally shared the magic and said that the bridge had to be brought up and it would bring up the interfaces attached to it.

Resources
http://www.debian-administration.org/articles/396