In the past, simply double-clicking on the .p12 file would prompt for the passphrase and import it into the login [...]]]> I love OS X and every iteration has gotten better and better. But every once in a while tasks that should be simple–aren’t. Take the case of trying to add a S/MIME certificate to the Keychain.

In the past, simply double-clicking on the .p12 file would prompt for the passphrase and import it into the login chain. After getting my certificate issued by StartSSL and stored in Firefox, I exported the certificate and private key, set a passphrase, double-clicked, and….

An error has occurred. Unable to import an item. The contents of this item cannot be retrieved. You failed to provide the necessary administrator authorization. (Added so the search engines will pick this up)

And so the battle commenced. There really isn’t a lot out there discussing when Keychain Access fails. The closest similar discussion was by Midori Green (email thread here). The error was different, but it was the same attempt to import a PKCS12 file.

I tried using openssl to rearrange the certificates in the file (after exporting into PEM format), tried adding/removing/changing the private key passphrase, import/export from a Windows machine in .PFX format, and even trying to recreate the PKCS12 file from its’ constituent parts.

Luckily, I ran across this post on krypted.com that mentioned the CLI command security. After placing the exported .p12 file (from Firefox) in a directory and launching terminal, I was able to use the command:

linus:gadams$ security import startssl-smime-cert.p12 -f pkcs12 ~/Library/Keychains/login.keychain
1 identity imported.
2 certificates imported.

And bam!, the certificate loaded. Composing a new message in Mail.app showed the signing and encryption boxes. Although I still get invalid signatures when sending rich text format messages, plain text are properly getting signed.

I am curious exactly what command is executed when you double-click on a certificate file. I assume the Keychain access application makes underly calls to security, but I’d like to be able to trace the steps it takes.

Side note, I’m going to do an opinion piece of certificate authorities in general and digital certificates, SSL, S/MIME, and all that rot. There are some great options for small companies and individuals to get certificates at a cheap or free price. No Verisign or GTE Cybertrust (err Verizon Business) $$$$$ prices need apply!

In the past under Windows XP, scheduling tasks was a breeze. It still is under Windows 7, except by default they don’t run. I [...]]]> DeltaCopy is a great easy to use rsync client (and server) for Windows. Based on Cygwin, it front-end the rsync client and adds the capabilities to schedule tasks and send email notifications.

In the past under Windows XP, scheduling tasks was a breeze. It still is under Windows 7, except by default they don’t run. I assume the application hasn’t been fully tested under Windows 7, and I know it can have issues with UAC and the scheduler.

I’ll explain the steps I’ve taken to get backup tasks to operate.

Installation

A normal installation works fine, but to insure UAC doesn’t mess with anything I use C:\DeltaCopy as the installation directory.

Creating a New Copy Job

I won’t go through the details of selecting directories for backup, but when selecting the scheduling option, the way the task is created needs to be modified. For example, a new job called Backup Stuff is created:

By default the schedule is created, but not run. Selecting the Modify Schedule button shows the created settings:

As you can see, the run command reference the .dcp file, which I assume contains the parameters for the backup job. On the run command, insert deltac.exe then a space, then the .DCP file, like so:

Select the Schedule tab or settings for configuring the job like any other Windows task. When you hit apply, the job should run as expected.

let me know if anyone runs into problems with this!

If you get queried by friends or family, visit one of the various iJango sites then take a look at this article that exposes one of the main [...]]]> I normally don’t warn people about what should be obvious scams, but our neighborhood has been hit hard with “iJango! iJango! iJango!”. Basically, it’s another multi-level marketing scam.

If you get queried by friends or family, visit one of the various iJango sites then take a look at this article that exposes one of the main people behind this scheme. Make sure you visit a couple other sites on both sides before making any decision.

From what I see in the compensation plan, this isn’t even the typical pyramid scheme. To make money, you have to generate 3 leads. So instead of the typical 2*n growth curve, you need to see a 3*n curve. To get your original $150 back, you need to sign up 21 people (assuming a 1 level deep return).

Google “pyramid scheme” and ijango. Grain of salt….

I’m running Windows 7 RC1 64-bit  (build 7100), and downloaded the corresponding driver file for [...]]]> Overall Photoshop CS4 Extended is running like a champ in 64-bit mode. It sees 6GB of RAM and all my plugins are working fine. However, my older Wacom Graphire tablet isn’t working for pressure sensitivty in Photoshop. There is a solution!

I’m running Windows 7 RC1 64-bit  (build 7100), and downloaded the corresponding driver file for my tablet (release date of Sep 10, 2007). It works fine, and pressure sensitivity works in Photoshop 32-bit and the tablet preferences. Wacom support said to download the driver for the Intuos 4 (Vista OS). The driver is WacomTablet_611-3.exe (link may change) and after removing the older driver and installing this one, all tablet features working AOK!

Make sure to apply the 11.0.1 Photoshop update as there are numerous complaints of tablet issues with the initial CS4 release (11.0.0).

There are a couple settings required on the SB-800 and the D-200, but it works well.

I had the AB’s setup [...]]]> So, I have a Nikon D-200, 2x AlienBees 400 strobes, and an SB-800 speedlight that I wish to use in a three light setup. Can I trigger the two AlienBees (AB)and the SB-800 without pre-flashes? Yes.

There are a couple settings required on the SB-800 and the D-200, but it works well.

I had the AB’s setup and wanted to use the SB-800 as a hair or background light. Normally I shoot in Nikon’s Creative Lighting System (CLS) which provides a great way to manage speedlights off-shoe.

CLS is a communication mechanism between the camera and the speedlight(s). It uses a pre-flash that unfortunately the AlienBees see, which in turn has them fire, followed by the SB-800 firing and the camera taking the shot. End result is an unlit picture.

So, the quick and dirty of it:

1. AlienBees are set to fire from the on-board flash (i.e., no sync cord or remote used)
2. Camera’s built-in flash is set for manual mode (e4 set to Manual and 1/128 power, to use as the strobe/speedlight trigger)
3. SB-800 is set to SU-4 mode (hold SEL button until four boxes come up, navigate to the mode icon, select SU-4)

At this point, with the camera’s built-in flash up, when it fires (at 1/128th power), both the studio lights and the SB-800 will fire at their respective power settings. The SB-800 in SU-4 mode can be set to manual, at which point the power can be set from full (1/1) to 1/128. Also, you can change the focus from 24mm – 105mm, or leave the diffuser on which sets it at 14mm.

After installing the 10.5.7 upgrade, pairing the headset with [...]]]> Normally Apple’s operating system, OS X, works well with accessories such as my new Jawbone headset. The headset works wonderfully on the iPhone, but do a Google search for “os x jawbone bluetooth mic static” and see issues that 10.5.x has with most microphones on bluetooth headsets.

After installing the 10.5.7 upgrade, pairing the headset with the MacBook Pro, then launching Audacity, for the first time I was able to record my voice and play it back. Next up is Skype, Ventrilio, and my favorite IAX softphone. It looks like 10.5.7 addressed the bluetooth issues with the Jawbone, here’s hoping everyone else’s headset work well too!

This posting will walk you through the steps needed to [...]]]> Linux and Windows Active Directory (AD) integration has come a long ways since 2000. It is now quite easy to take advantage of Kerberos for managing authentication at the host level (user logins and such). Surprisingly, it’s just as easy to the same in Apache now.

This posting will walk you through the steps needed to configure and test authentication against a valid AD user.

Prerequisites

It is assumed the following prerequisites are in place:

• CentOS 5.2 Server – fully updated
• Apache, Kerberos, and supporting packages installed
• Samba configured as member server (net ads join has been successfully performed)
• Windows Server 2003 R2 or 2008 SP1 with UNIX Identity Management extensions installed
• Kerberos working (kinit from a AD user properly authenticates and klist shows tickets)

If possible, test this from a freshly installed machine. In this example, the following servers and realms will be referenced:

AD Server       dc01.example.com
Linux Server    www.example.com
Computer Object www
Kerberos Realm  EXAMPLE.COM

Creating the SPN

Kerberos uses a service principal name for each service available on the host. For a server that can authenticate against AD, this would include at least the HOST principal. From the AD server, issue the setspn command to view the current SPN’s assigned to www.example.com (use the canonical name for www, not the FQDN):

C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
        HOST/www
        HOST/www.example.com

Now as root on www issue the command to create the HTTP SPN (the net ads command is provided by the samba packages–make sure these are installed even if they are not used):

[root@www /]# net ads keytab add HTTP -U administrator
Processing principals to add...
administrator's password: *******

The -U is used to provide an administrator account with Domain Admin privileges. This step has added the SPN which we’ll see in AD, and it has also updated the local keytab file /etc/krb5.keytab with the SPN bits.

To verify the SPN has been created properly, issue the same setspn command and verify there are entries for HTTP. It should look something like this:

C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
        HTTP/www
        HTTP/www.example.com
        HOST/www
        HOST/www.example.com

Configure Apache

Make sure the package mod_auth_kerb is installed. This should create the configuration file in /etc/httpd/conf.d/auth_kerb.conf which will load the Kerberos module and provide a commented out example (which we’ll use). First, because httpd runs as apache, we need to copy the keytab file and change permissions so that apache can read it. I’ve placed it in the default specified in the auth_kerb.conf file:

[root@www /]# cp /etc/krb5.keytab /etc/httpd/conf/keytab2
[root@www /]# ls -l /etc/httpd/conf
total 64
-rw-r--r-- 1 root   root   33760 Mar 25 14:01 httpd.conf
---------- 1 root   root    1321 Mar 25 15:06 keytab
-rw-r--r-- 1 root   root   12958 Nov 12 10:43 magic
[root@www /]# chown apache.apache /etc/httpd/conf/keytab2
[root@www /]# chmod 400 /etc/httpd/conf/keytab2
[root@www /]# ls -l /etc/httpd/conf
total 64
-rw-r--r-- 1 root   root   33760 Mar 25 14:01 httpd.conf
-r-------- 1 apache apache  1321 Mar 25 15:06 keytab
-rw-r--r-- 1 root   root   12958 Nov 12 10:43 magic

Create an Apache Location for Testing

Now modify the “private” location and uncomment the directives and set them for the realm (changes from defaults in bold):

[root@www /]# vi /etc/http/conf.d/auth_kerb.conf# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#
LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "www.example.com" is the FQDN of this server.
#

#<Location /private>
#  SSLRequireSSL
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate On
 KrbMethodK5Passwd On
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/httpd/conf/keytab
 require valid-user
</Location>

Create the directory (/var/www/html/private) and a test HTML file in the directory (index.html). Restart httpd and navigate to the URL (http://www.example.com/private/index.html). You should be prompted for credentials. Using a valid AD user and password should get you in. A side benefit is that if logged into a workstation within the domain (e.g., Windows XP, Vista, etc), using Internet Explorer should use your Kerberos credentials to authenticate.

Uses

For production use, any application or web service that can use Apache’s authentication mechanisms should work. Take care to understand that even if you enter a short username, the realm will be appended onto the end. In this example, the username gadams would appear as gadams@EXAMPLE.COM in the log files, and probably be presented to the referenced application.

Credit

I’d like to Scott Lowe for all the articles he has done on Linux / AD / Kerberos integration, and this article, which was where I started my CentOS / Apache / Kerberos / AD journey. His article covers all the basics, but a lot has changed (for the better) since 2006. Thanks Scott!

We recently had some bad weather here in North Georgia. Tornadoes, power lines down, etc. I came home from a business trip to my main PC with a failed power supply. No worries I thought, [...]]]> When it’s time to lay down a new operating system on Intel system, do you go for:

• Windows Vista?
• Linux?
• Windows XP?
• Hackintosh?
• Windows 7 Beta?

We recently had some bad weather here in North Georgia. Tornadoes, power lines down, etc. I came home from a business trip to my main PC with a failed power supply. No worries I thought, off to Fry’s for a replacement.

Since I haven’t upgraded my PC in a couple years, I went with a modular power supply, high efficiency, etc. The problem with installing such a power supply in an Antec P180 case (still my favorite for quietness) is that the modular connectors need to be put in place after the power supply has been mounted.

That’s when I found out that the PCI-E connector (8 pin) will accept the SATA power connector (6 pin). Hook everything up and power up the PC. BIOS POST starts, but states in cannot see any hard disk drives. Sure enough they aren’t spinning, and by the way, what is that burning smell?? Oh noes!!!!

PCI-E provides a 12V rail while SATA drives prefer a more sedate 5V input. Needless to say, both drives smoked. Another trip to Fry’s and a 1TB Seagate later (that doesn’t have the firmware issue of the earlier Barrcudas), and it’s time to install an OS.

Windows Vista

The most obvious choice for home users. It’s the current operating system sold by Microsoft, supported, etc. And, I even have two copied of Vista Ultimate at home (thanks to the Microsoft Store a couple years ago). But two years ago when I installed Vista, I struggled with it for 4-6 months before falling back to XP (32-bit).

At work we still have issues with Vista compatibility and speed, so it’s not my first choice.

Linux

I work with Linux server installs daily (RedHat, CentOS, Debian), and have installed Ubuntu on a laptop for some Cisco simulation love (GNS3). But I still want to run software that I use for photography work and general Office productivity. So, not really an option just yet. I’ll give it a year or so and revisit.

Windows XP

Tried and true, stable, and getting looooong in the tooth. It’s what I was running before, and even though it worked fine, there still were some issues of newer hardware not being recognized, or development support no longer provided (Logitech G15 Gaming keyboard for example).

It is still an option, but comes in second.

Hackintosh

I love my MacBook Pro and the design and operation of OS X. My PC hardware would run it fine, but that means very messy upgrades from every dot release and major OS upgrade. Plus, I still need a Windows machine to do “work” work from time to time, and Fusion doesn’t always cut it.

Windows 7 Beta (Build 7000)

The reviews show Windows 7 having better stability than Vista, faster than XP, and even for an “early” beta, fully functional. And since I need to become familiar with the OS that most companies will deploy post-XP, a jump into the deep end seems doable.

Although there still numerous applications, drivers, and other bits to install if I do go back, it’ll be good to see how others who get Windows 7 will be affected.

One thing I have done (and saved my butt when I smoked my hard drives) is to make sure all my documents and media (photos, songs, video, etc) are backed up on the Internet (Dropbox) or on a couple other servers locally.

So when that day comes in August or Septemer or whenever WIndows 7 is released, I’ll be able to simply deactive applications (Adobe, iTunes, etc), reinstall, and restore the data. It’ll still be a weekend plus job, but I did almost get two years out of the previous XP install.

So tune in for short posts on the results of the Windows 7 install, what works (and doesn’t), and anything I find out along the way.

Well, Galin Iliev has the answer. By using the [...]]]> So you need to access a SQL Server (2005) using the SQL Server Management Studio. The server is running with Active Directory only authentication, but your laptop isn’t in the target domain and you only have access to the SQL server port (TCP 1433). What to do?

Well, Galin Iliev has the answer. By using the runas command with the /netonly switch, you can pass credentials to the Management Studio which are used for access to the remote server. Only correction to Galin’s post is that the SQL Server Management Studio executable is sqlwb.exe instead of ssmsee.exe.

So for us road warrior consultants, there is a way to access AD credentialed SQL server databases without have to join a domain or have any more network access than the TCP/IP port for the SQL server.