Computer

Bacula & Vchanger Error: “i/o error reading loaded0 file on magazine in bay 1”

Standard

Today I debugged a Bacula backup issue at of the networks I support during spare time. Every backup terminated with an “i/o error reading loaded0 file on magazine in bay 1” error after the first virtual volume was full and a new one should be loaded. I quickly figured out that upon mounting, the loaded0 file was still empty and therefore every unmount request as well as new mount requests just fails.

In order to see what exactly is going on when vchanger tries to load a volume, I ran:


strace -f vchanger /etc/bacula/vchanger.conf -u bacula -g disk load 8 usbchanger1 0

You’ll never guess what the problem was! I forgot to set the number of reserved blocks to zero when preparing the file system of the disks, so from a normal users perspective the disk was just out of space.

Here you can see the important lines of the strace call:
open("/mnt/vchanger/donnerstag/loaded0", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77c2000
write(5, "usbchanger1_0004_0008\n"..., 22) = -1 ENOSPC (No space left on device)
close(5) = 0

A tune2fs -m 0 /dev/sdc1 solved the problem, but why isn’t vchanger’s first load failing with an error message that tells me that it was not possible to update the loaded0 file? I think I am going to write a patch for this now.

UPDATE: Here is my patch to correctly interrupt loading and write useful log information: diskmanager.patch

Gute Telekom, Schlechte Telekom

Standard

Oder anders gesagt: Wo Schatten ist muss auch irgendwo Licht sein.
Ich hab ja seit knapp einem Monat ein Samsung Galaxy Tab 10.1N mit 3G & WIFI. Bzgl. einer zweiten SIM-Karte zur reinen Datennutzung mit dem Tab hatte ich vor drei Wochen bei der Telekom nachgefragt. Der Mitarbeiter an der Hotline hat mir nach mehrfachem Nachfragen versichert, dass bei Multi-SIM SMS/MMS und Datenverbindungen immer nur auf einem Geraet aktiv sein koennen. Fuer SMS/MMS kann ich das im Prinzip noch nachvollziehen, fuer Datenverbindungen eher weniger.
Vor ein paar Tagen bekam ich einen Tipp, mal in einen Telekom-Shop zu gehen und dort anzufragen. Das habe ich heute getan (Im Rheinparkcenter Neuss) und siehe da: Kompetente Mitarbeiterin! Nach knapp 10 Minuten bin ich mit weitere SIM-Karte aus dem Laden raus und die Aktivierungs-SMS hatte ich auch schon bekommen bevor ich den Laden verlassen habe. Gleich zu Hause ausprobiert und siehe da: Geht doch!

Im uebrigen hat mich das Datenschutzsystem auch ueberzeugt. Um irgendwas bzgl. eines bestehenden Vertrags zu besprechen oder zu aendern, muss man dem Mitarbeiter die eigene Mobilfunknummer mitteilen. Darauf hin bekommt man einen Sicherheitscode per SMS geschickt. Diesen nennt man dem Mitarbeiter und erst dann hat er Zugriff auf die Vertragsdaten. Sicherheitshalber ist auch noch der Name abgefragt worden. Ich denke das ist vorbildlich.

Und deswegen sollte man das Speichern von IP-Adressen verbieten

Standard

Im Zeitalter von Internet-Flatrates ist ja schon mehrfach darueber gestritten worden, ob Provider die IP-Adressen der jeweiligen Sitzungen speichern duerfen. Wenn diese voellig unnoetige Praxis auf unglaublich unfaehige Richter in unserem voellig maroden und veralteten Rechtssystem trifft, ist das Ergebnis, dass in Deutschland ahnungslose Rentnerinnen zur Zahlung von Abmahnungen verurteilt werden. Und jeder der mal Einblicke in die ISP Netzte und damit verbundenen Systeme und Logfiles hatte, weiss wie schnell dabei Fehler gemacht werden. In den USA ist doch vor ein paar Jahren auch mal von einem Sondereinsatzkommando ein Bauernhof gestuermt worden, weil bei einem ISP jemand die Zeitzone nicht beruecksichtigt hatte. Also, fang endlich an den Grundsatz der Datenvermeidung umzusetzen.

Apple vs. Samsung

Standard

Apple seems to be successful in fighting Samsungs Galaxy Tab 10.1 here in Germany. Asked for the (especially for Germany) resigned version of the Samsungs Galaxy Tab 10.1N at a Saturn shop (German chain of electronic device selling shops) and after a phone call to an other department I was told that they refuse to order that device even on customer demand due to Apples restraining order. Although the judgement will be given on December 22nd they seem to fear, not being allowed to sell the modified version in Germany also.

I had a glimpse at a Motorola’s Xoom tablet and am really asking myself why Apple does not jerk Motorola to court for the Xoom tablet too. It also looks exactly like the design patent of Apple’s iPadany $TABLET_PC.

Fridge vs. Apple’s iPad seems to become true if our judges don’t start using their brains very soon. Ever asked yourselves how all the television manufacturers can survive if the devices look so similar!?

Finally I’ve got only two words for you, Apple: FUCK YOU!
You can be sure I’ll never buy or use one of your devices.

EDIT: One day later I bought my 10.1N at a nearby Media Markt store. Although both stores belong to the same group, they seem to deal differently with the Galaxy Tab issue. So I now own a 10.N for more than two weeks and haven’t regret it yet.

M$ Knowledge base quote of the day

Standard

This behavior may occur if an FQDN or IP address contains periods. If an FQDN or IP address contains a period, Internet Explorer identifies the Web site or share as in the Internet zone.

Hit me if I’m wrong but the above statement is always TRUE. Exception might be IPv6. But as that article probably beeing a few years old, I don’t think they had IPv6 on their mind.

Looking for a perfect Linux desktop system?

Standard

I think I just found it: Installed Ubuntu 10.04 on an Acer Aspire X3910 PT.SEDE2.240 and must say that I am really suprised how well it works. Everything was detected automatically. The whole machine has a very small form factor and is very silent but on the other hand very powerful with its dual-core Intel E6700 CPU. Unfortunately it is not mine 😉

MobileMe Mail Seems To Be RFC Ignorant

Standard

I am pretty sure that RFC 4959 section “4. Examples”, second example tells you, that your IMAP server offering AUTH=PLAIN _MUST_ support it. Now, this is what happens when you try it with a MobileMe Mail account:

* OK iSCREAM ready to rumble (1F28:18179)
R00001 CAPABILITY
* CAPABILITY st11p00mm-iscream001.me.com 1F28 XAPPLEPUSHSERVICE IMAP4 IMAP4rev1 SASL-IR AUTH=ATOKEN AUTH=PLAIN
R00001 OK !!
R00002 AUTHENTICATE PLAIN
R00002 BAD Parse Error
BAD Parse Error

Fucked up, isn’t it?

EDIT: Turns out to be a general problem as media reports about problems after MobileMe > iCloud migration.

UPDATE:Apple has fixed this issue a few weeks ago.

TLS init def ctx failed: -69 – WTF?

Standard

If you ever get into a situation, where you see

main: TLS init def ctx failed: -69

in your syslog, just remove the f**k**g passphrase from the key.

Maybe the error message is too obvious, because I found nothing helpful in the web. BTW: Confucius says: Building LDAP server on ONE day, will prevent you from getting headache, mkay!

Privacy, No Ads And Speed!

Standard

As I wrote earlier on this blog, I again started using Privoxy with some slight modified configuration to block advertisment as well as improve privacy by filtering out tracking bugs and all those social networking stuff on websites.

It looks like some of the latest updates for Google Chrome/Chromium broke the “ProxySwitchy !” extension which often made me surf the web without actually using Privoxy although the Privoxy proxy profile was selected in “Proxy Switchy !”. While reading some comments to a Google Plus post of Markus Beckedahl about some privacy enhancing add-ons for Firefox I stumbled about an hint to try Chrome Block. I am trying it out at the moment and it looks very promising at first glance, but as it is mainly designed for privacy protection, a solution for removing ads was also needed. So I installed AdBlock additionally which is doing a great job also.

My feeling is that the impact on browsing speed is extremely low compared to my earlier Privoxy setup and it is more transparent to me than before as both extensions have  nice self-explaining status icons right of the location bar.

AIX5L with Samba 3.x and Kerberos 5 as a Windows 2003 ActiveDirctory Member Server

Standard

While cleaning up one of my other websites, I stumbled upon this guide I wrote  five years ago. Although the content of this guide is already five years old, I don’t want to remove it from the net. I suppose it should work also with a Windows 2008 Active Directory domain as well. But please do not ask me questions about AIX5L as I do not have access to any of those machines any more.

Preperations

First install some packages which are required for the setup. This includes the Kerberos Client as well as the Samba 3.x Server. They are called pware.samba-3.0.23d, krb5.client and strong>krb5.lic

Now make sure your system uses the same timeserver as your domain controller. On most systems this is done by making changes to the xntp server’s configuration file /etc/ntp.conf. Afterwards set up your active directory controller as your system’s nameserver in /etc/resolv.conf.

Kerberos 5 setup

Edit your Kerberos client configuration in /etc/krb5/krb5.conf, that it look similar to this one:

 
# /etc/krb5/krb5.conf
[libdefaults]
        default_realm = MYCOMPANY.LOCAL
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
        MYCOMPANY.LOCAL = {
                kdc = dc.mycompany.local:88
                admin_server = dc.mycompany.local:749
                default_domain = mycompany.local
        }

[domain_realm]
        .mycompany.local = MYCOMPANY.LOCAL
        dc.mycompany.local = MYCOMPANY.LOCAL

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmind.log

Add the KRB5 authentication methods to /usr/lib/security/methods.cfg.

 
[..]
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly

KRB5Afiles:
        options = db=BUILTIN,auth=KRB5A
[..]

Now it is time to test your Kerberos 5 configuration by running kinit with an existing domain user as parameter e.g.

kinit Administrator

Samba 3.x server setup

Now that Kerberos is working for the underlying AIX System you can start to configure your Samba server. To make things easier, create the smb.conf in /etc and link it to the directory where samba expects it to be:

 
touch /etc/smb.conf
ln -s /etc/smb.conf /opt/pware/samba/3.0.23d/lib/smb.conf

Here is the beginning of a working /etc/smb.conf file.

 
# /etc/smb.conf
[global]
        workgroup = MYCOMPANY
        netbios name = AIXHOSTNAME
        security = ADS
        realm = MYCOMPANY.LOCAL
        password server = dc.mycompany.local
        client use spnego = yes
        client signing = yes
        encrypt passwords = yes
        printcap name = cups
        disable spoolss = Yes
        show add printer wizard = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        use sendfile = Yes
        printing = cups
        ldap suffix = "dc=mycompany,dc=local"
        winbind cache time = 0
        #Uncomment to allow these options
        log level = 5
        log file = /var/log/samba3/log.%m
        #max log size = 5000000
        #debug timestamp = yes
        browseable = yes
        obey pam restrictions = yes
        auth methods = winbind
[..]

If testparm is not complaining about any errors try joining your domain.

 
net join -S dc -UAdministrator

Putting it all together with winbind

In order to make WINBIND available to your AIX system copy the winbind security module to /usr/lib/security,

 
cp /opt/pware/samba/3.0.23d/lib/WINBIND /usr/lib/security/

and add WINBIND config to /usr/lib/security/methods.cfg

 
[..]
WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly
[..]

To make winbind the default user database change the SYSTEM value to WINBIND in the default section of /etc/security/user. You can check wether winbind is working with wbinfo.

After you successfully joined your domain and set up windbind, make sure that the smbd, nmbd and windbind gets started at system startup. The easiest way for me was to add the SysV init scripts to /etc/rc.tcpip.