Identify from where an AD account was locked out

Standard

After enabling password lockouts in our company AD, my account got locked out from time to time. After some searching I finally found out that on a Windows Server 2012 the magic event ID to check is “4625”. It will tell you from which IP the login request, that lead to the lockout, originally came from.

BTW: In my case it was an unused but configured Nextcloud app on my mobile.

 

 

Running a limited number of scripts in parallel from Bash

Standard

Imagine you have a text file with a single parameter for another script on each line, but you want to speed things up. Instead of writing an overly complicated wrapper script, as I did a few times in the past, you could just use xargs. It comes equipped with everything needed for this task. The following example assumes, that for each parameter in parameters.txt the command MyFancyScript.py should be executed, with no more than 20 processes at the same time:

cat parameters.txt | xargs -n 1 -P 20 MyFancyScript.py

I guess it’s not hard to figure out that -P is the magic switch to allow multiple instances to be executed at the same time.

 

Why isn’t the full certificate chain provided by my web server?

Standard

Good question, simple answer though: Probably you’re still on Ubuntu 14.04 (Trusty) and thus your Apache version is too old (2.4.7) and does not provide the full certificate chain from the file specified as SSLCertificateFile. The nasty thing: It does not throw a warning nor an error; not on the console nor in the error.log.

Solution: Use the SSLCertificateChainFile option instead to point to the intermediate certificates of your CA.

But watch out when you update your server: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Xubuntu/XFCE to Ubuntu/Unity

Standard

I finally made it and switched from Xubuntu/XFCE to plain Ubuntu/Unity after I bought a new laptop for my parents, which forced me to finally choose a desktop environment that I want to support for my family and friends in the next years. I have to say that after using Unity a couple of hours, it turns out to be not as bad as I always thought. So basically it’s like every time there is something new that feels like it just wants to break your habits: first you hate it, then you accept it and at some point you begin to love it. Now, after switching my own laptop, my workstation at work and my parents desktop PC to Ubuntu/Unity, I am getting closer to “lovin’ it”.

All that does not mean that I was unhappy with Xubuntu/XFCE ever, but in the last years its main purpose was to provide me a way to stick with a Gnome 2ish desktop environment, just because I did not want to change my own, maybe bad habits. Unity without additional tweaking is great for the normal user and with its lightweight menus and highly integrated apps, it just does its job. With some minor adjustments it works perfectly well for advanced users like me. Compiz Settings Manager and  Unity Teak Tool (PPA version) are very helpful if you want to improve your Unity experience and I highly recommend to have a look at them, even if you think that the defaults already provide a decent user experience.

BTW: There is no need to re-install you system. If you want to switch from any Ubuntu flavor back to pure Ubuntu, check out Psychocats’ Pure Ubuntu 14.04 post

Python’s argparse and lists

Standard

While Python’s argparse allows to declare a command line parameter to be of any supported type, this does neither work nor is it recommended for the “list” type.  A workaround for passing a list of comma separated items is to use your own type, which for argparse means that the value of “type” must be callable as shown in the example below.

def csv_list(string):
   return string.split(',')

parser = argparse.ArgumentParser()
parser.add_argument('-l', type = csv_list)
parser.parse_args()

ARD: Die geheime Macht von Google

Standard

Die folgenden Zeilen habe ich bereits während der Ausstrahlung der Sendung auf meinem Smartphone angefangen zu schreiben und war kurz davor es einfach auf Google Plus zu posten. Aber ich denke in meinem Blog ist es besser aufgehoben. Anscheinend liege ich mit meiner Meinung zu der Sendung nicht ganz falsch, wenn ich mir angucke, was z.B. auf ZDNET dazu geschrieben wurde.

Was zeigt mir “Die Story im Ersten – Die geheime Macht von Google”: Mangelnde Medienkompetenz wohin man schaut. Merkel hat recht, ist alles #Neuland

Die gezeigten Nutzer fallen auf Anzeigen rein, die als solche gekennzeichnet sind und regelmäßige Benutzer von Google eigentlich sofort erkennen sollten. Eine Lehrerin ist überrascht was im Dashboard zu sehen ist. Vor allem das Tracking über das Smartphone überrascht sie. Aber hey, man wird beim ersten Nutzen ja nur danach gefragt ob diese Funktionen aktiviert werden sollen. Immerhin gibt sie am Ende ihr eigenes Versagen zu, indem Sie feststellt, sich wahrscheinlich nicht genug damit beschäftigt zu haben. Nochmal: Ich habe schon einige Androiden im Auslieferungszustand gesehen und man muss diverse Sachen die mit Tracking, Privatsphäre und Datenschutz zu tun haben bestätigen oder gar erst aktivieren. Wer da einfach immer auf “Weiter” drückt ohne zu lesen ist selbst schuld – basta!

Und für einen weinerlichen Anbieter von Kartendiensten, im Beitrag immer schön peinlich als “Internet-Manager” bezeichnet (was zum Henker soll das sein?!), dessen Branche jahrelang selbst Privatnutzer wegen jedem kleinen Kartenschnipsel verfolgt hat ohne ein akzeptables Geschäftsmodell anzubieten, habe ich leider auch kein Mitleid übrig. (Wie ich irgendwie schon vermutet hatte, verbirgt sich hinter einem der beiden gezeigten “Internet-Manager” anscheinend ein Mitarbeiter von Axel-Springer).

Da Google kein so erfolgreiches Soziales Netzwerk wie Facebook oder LinkedIN besitzt, gibt es auch keinen “Gruppenzwang” und jeder Nutzer kann selber entscheiden ob und was er von Google nutzt. Von daher sind wir Nutzer wohl eher die geheime Macht hinter Google. Zumindest konnte der Beitrag nicht ansatzweise irgendein Geheimnis lüften.

Getting Webcam of Dell M1330 running

Standard

In order to get the webcam running that is identified by lsusb as

Bus 002 Device 003: ID 05a9:7670 OmniVision Technologies, Inc. OV7670 Webcam

you just have to enable quirks mode for the uvcvideo kernel module:

echo "options uvcvideo quirks=0x100" > /etc/modprobe.d/uvcvideo.conf

After that, reboot or reload the kernel module (sudo rmmod uvcvideo && sudo modprobe uvcvideo). This seems to work on most recent Linux distributions and has been tested by myself on Xubuntu 14.04. If not, check that a corresponding video device has been created. More details about that issue (which I had not), can be found in a post on marvin.im (German only)

Mailserver Reloaded – Step 1

Standard

To reproduce the latest setup of my email server and being able to work on this series of posts as promised months ago, I created a new LXC container with Debian Wheezy first. As LXC is not part of this series, no further details about it are provided here.

Like always, the first thing to do on a brand new machine is checking for the latest updates:

apt-get update && apt-get dist-upgrade

First we need to install a mail transfer agent (MTA), which in our case will be Exim. As some enhanced capabilities, such as SASL authentication are required, the Debian package exim4-daemon-heavy must be installed:

apt-get install exim4-daemon-heavy

Given that we are going to manually create an Exim configuration from scratch later, answers to configuration related questions during the installation process are irrelevant to this setup.

Now that our machine has an MTA installed, MySQL server can be installed:

apt-get install mysql-server

Hint: If you try to installed MySQL server before an MTA is installed, Debian might choose an other MTA than Exim to fulfill MySQL’s requirements. This may lead to additional, unnecessary steps or even a configuration conflict that you would have to resolve when installing Exim.

After that, Dovecot can be installed with the following command:

apt-get install dovecot-core dovecot-mysql dovecot-lmtpd dovecot-imapd dovecot-sieve dovecot-managesieved

Additionally to the more or less obvious packages dovecot-mysql, dovecot-lmtpd and dovecot-imapd, the packages dovecot-sieve and dovecot-managesieved are also installed, so that server-side filtering based on Sieve is possible. Roundcube has some great plugins to create and manage Sieve filter rules.

Talking about Roundcube: This is the last of piece we have to install, before we can glue everything together. Though I generally prefer distribution packages, I mostly end up with installing software manually when in comes to web applications. As Roundcube is written in PHP, we need web server that is capable of executing PHP scripts. For simplicity we choose Apache plus the appropriate PHP 5 module in this howto:

apt-get install libapache2-mod-php5

That’s it for the first step. All required software is installed, so we can proceed with the configuration of each in the next step.

Installing .NET Framework 4.5.1 on Windows 2008 R2 Server Core

Standard

If you try to install .NET Framework 4.5.1 on a fresh installation of Windows 2008 R2 Server Core you may see the follow error message:

You must install the .NET Framework 2.0 SP2 OS component.

Well, there IS a link to a list off reasons for a blockage of the 4.5.1 installation, but it wouldn’t be Microsoft if that error message is really in the list. After having a look at the listing of available features, I tried NetFx2-ServerCore first, which should be sufficient on a 64bit platform. Error message still occurred, so I installed the 32bit compatibility feature NetFx2-ServerCore-WOW64 as well. There we go: .NET Framework 4.5.1 could be installed successfully.

As searching for the error message did not return any useful results, I am documenting the solution here.
For completeness, here are the two commands that install the missing features on Server Core:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64