Tuesday, March 27, 2012

entry of 66048 (0x10200) when it should be 512 (0x200). eh?

So someone says:

"Oh so sorry, we've fascist controls on our AD-integrated site and you have: userAccountControl entry of 66048 (0x10200), when it should be 512 (0x200). No logon for you."

What does that mean, really?
Well. What it means is that according to UAC you've got the DONT_EXPIRE_PASSWORD property set. It incidentally has the hex and decimal settings of:
0x10000 and 65536 If we add those up, mister normal user, NORMAL_ACCOUNT (0x0200 512), we get 0x10200. That no expiring password... that's not expected.

Of course...

Here's something from Microsoft:

When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.

To view user accounts, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

Note You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.
Property flag                   hexadecimal decimal
SCRIPT                          0x0001          1
ACCOUNTDISABLE                  0x0002          2
HOMEDIR_REQUIRED                0x0008          8
LOCKOUT                         0x0010          16
PASSWD_NOTREQD                  0x0020          32
PASSWD_CANT_CHANGE              MS says this can't be done programmatically.
ENCRYPTED_TEXT_PWD_ALLOWED      0x0080          128
TEMP_DUPLICATE_ACCOUNT          0x0100          256
NORMAL_ACCOUNT                  0x0200          512
INTERDOMAIN_TRUST_ACCOUNT       0x0800          2048
WORKSTATION_TRUST_ACCOUNT       0x1000          4096
SERVER_TRUST_ACCOUNT            0x2000          8192
DONT_EXPIRE_PASSWORD            0x10000         65536
MNS_LOGON_ACCOUNT               0x20000         131072
SMARTCARD_REQUIRED              0x40000         262144
TRUSTED_FOR_DELEGATION          0x80000         524288
NOT_DELEGATED                   0x100000        1048576
USE_DES_KEY_ONLY                0x200000        2097152
DONT_REQ_PREAUTH                0x400000        4194304
PASSWORD_EXPIRED                0x800000        8388608
TRUSTED_TO_AUTH_FOR_DELEGATION  0x1000000       16777216
PARTIAL_SECRETS_ACCOUNT         0x04000000      67108864

Monday, March 12, 2012

rhel6 makes me bang my head on my cubicle wall sometimes

rhel6 is pesky in that if the netmask isn't standard, it'll make one up for you anyway and really mess up routes. come on redhat, learn something from debian already.

let's fix that:
/etc/sysconfig/network-scripts/route-ethX
default via dotted.router.ip dev ethX
at the end of:
/etc/sysconfig/network-scripts/ifcfg-ethX
ifconfig ethX netmask 255.255.252.0

Tuesday, March 6, 2012

lock it ,lock it up and lock it

I like to I run backups and other scripts that require exclusive access to directories. For directory mirroring, rsync is a graceful candidate for the job - either locally or over the net to another host. A problem with some scripts that call rsync is that you can get into a race situation if one of your scheduled rsync jobs starts trying to "back up" the same thing that another scheduled rsync process is processing. Bad joss all around. Of course, you could write something that says, if this script is running, please don't run. Or. lockfile can be used in this regard. lockfile is part of the procmail package on various flavors of Ubuntu. To get it issue:
# apt-get install procmail
Easy.

Here's a useful snippet of code using lockfile in a shell script:
#!/bin/sh

LOCKFILE="/tmp/processname.lock"

# Break the lock if locking process has died
RUNNING_PID=`cat $LOCKFILE 2>/dev/null`;
if [ "x"$RUNNING_PID != "x" ] ; then
        RUNNING_NAME=`ps -p $RUNNING_PID -o comm= 2>/dev/null`;
        if [ "x"$RUNNING_NAME != "processname.sh" ] ; then
                rm -f $LOCKFILE
        fi
fi

# Acquire lock
lockfile $LOCKFILE
echo $$ > $LOCKFILE

echo whatever i am doing and plop in a log `date` >> /var/log/processname.log

...snip...

echo whatever i am doing is completed `date` >> /var/log/processname.log

# Release the lock
rm -f $LOCKFILE
If you're doing a scad of stuff, rotate your logs by placing an appropriately named file in logrotate.d:
/var/log/processname.log /var/log/ohlookanotherprocessname.log {
    rotate 7
    daily
    missingok
    notifempty
    compress
    sharedscripts
    endscript
}

Friday, March 2, 2012

sources.list for ubuntu 7.10

what an unoriginal title.
deb http://old-releases.ubuntu.com/ubuntu/ gutsy main restricted
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-updates main restricted
deb http://old-releases.ubuntu.com/ubuntu/ gutsy universe
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-updates universe
deb http://old-releases.ubuntu.com/ubuntu/ gutsy multiverse
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-updates multiverse
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-security main restricted
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-security universe
deb http://old-releases.ubuntu.com/ubuntu/ gutsy-security multiverse