Friday, 11 November 2011

Sharing files from a Windows 7 box to an XP

Microsoft has created a rather nifty option to share resources in a server-less environment (eg a "home" or just a small office), called HomeGroup sharing. It works in Windows 7 and somehow magically builds on IPv6.

But HomeGroup sharing isn't available on XP, so you'll have to take the traditional road of right-clicking the folder you want to share, choosing Advanced sharing and setting the security bits just right (eg Share security: write for Everybody, full control for Administrators; File security: as tight as you need).

But sometimes that's not enough.

At a client with a mixed machine environment, suddenly they couldn't get to a file share residing on a Windows 7 box when coming from an XP box. I got system error 58 (or was is system error 85?). Windows croaked. I tried firewall settings, tried user rights, tried whether the fact that they'd connected to another file share on another XP box.

While i did a whole bunch of seemingly arbitrary fixing moves, after doing the following, things started happening again.

  • Start the local security policy editor, secpol.msc
  • Go to Local Policies > Security Options
  • Scroll down to Network Security: LAN Manager authentication level
  • Change the setting from "Send NTLMv2 response only" to "Send LM & NTLM - use NTLMv2 session security if negotiated"

The reasoning behind this is that Windows 7 and Vista works on a newer and more secure variant of the Lan Manager protocol than XP. You might get similar problem if connecting from a Linux box or a NAS (which very well may be a Linux box) to a Windows 7. Changing this setting starts the discussion using the older version and switches to the more secure one if the two endpoints can agree on that.

Took me several hours to get this right. I hope this will help you make a swifter fix.

Sunday, 30 October 2011

Blinking lights on the LAN

The sorry state of my garden lights has taken one pathetic step to the brighter. I can now blink my garden lights over the local network, using a serverized version of the Lua script i wrote earlier to do the same over the command line. Okay, so it's one step better than ssh'ing into the box and entering relay commands over Bash :)

I first thought of learning some more Lua to make the script socket-aware. But then it hit me: Linux has all this built in, into a "super server" called inetd, which i've never actually used before but kinda know of due to its history of security issues. Still, i feel like such a late bloomer for never having used inetd before.

Here's how, if you're one of the inetd virgins. Edit /etc/services and add the name, port and protocol of my service. In my case, i called it relay 11647/tcp. Call update-inetd --add ...and a bunch of arguments separated by the t character, as one wonky string. Yeah, it's hairy.

I needed to make just one change to the Lua script. Since the script won't read command line arguments anymore -- and i don't know if it's by design or my deficiency -- i had to add if rel == Nil then rel, act = "*number", "*number" ) end into the code.

Still, now i can say echo 4 1 | nc gardengnome 11647 which is a sure sign about a turn for the better :)

Did this make any sense at all to you?

Thursday, 27 October 2011

Ping watchdog with Powershell

We have one unreliable virtual server which sometimes just loses its network connection. Until we have a permanent solution, the temporary fix is to have the computer reboot if it loses network connection.

Note: There is nothing as permanent as a temporary solution. With that warning, let's get to it.

Step 1 - Produce the following Powershell script into c:binpingdog.ps1

$netup = new-object Test-Connection -quiet ""
if( $netup -eq $False ) {

Step 2 - Fix your security settings

Start Powershell. Enter Set-ExecutionPolicy RemoteSigned or whatever level you're comfortable with that'll still run your script.

Step 3 - Schedule it

If you're using Windows Server 2003 (like we, ungh) schedule a daily task to run %SystemRoot%system32WindowsPowerShellv1.0powershell.exe c:binpingdog.ps1

From the task's Properties, the Schedule tab, press the Advanced button. Tick Repeat Task, every 12 minutes (or whatever you fancy), and repeat for 24 hours.

If you're using Windows Server 2008 or later, you should be able to set the task to run evey x minutes right from the interface.

Step 4 - Check your logs

Keep an eye on the failing computer's system log to see if it's restarted when you looked away.

Monday, 24 October 2011

Happy UN day

Greetings to everybody working in the UN, everybody who have worked in the UN and all who are to work for the UN. Especially this goes to my chums who i had the joy and privilege to work with in Timor-Leste some six short years ago. It was a great gig, wasn't it? :)


Thursday, 6 October 2011

It blinks!

A while ago, i bought an Ethernet module from Sure electronics. I wasn't sure what to use it for or if i indeed would be able to use it for anything, but it was cheap and hey, you could connect it to the Ethernet. Can't be all bad :)

Having less than a raving success with controlling my garden lights with a Nanode, i decided i needed a break. And so i googled "Arduino Sure-electronics ethernet", and lo && behold(), up comes a blog post with just what i needed, but just didn't understand to expect: that it's really easy to interface an Arduino with the Ethernet, and that the magic is built on the EtherShield library which i was already using on Nanode.

So i soldered the seven pins needed to have the two devices talk with each other. Wired them together with neat and correctly coloured jumper wires. Copied the code into my editor. Changed the MAC and IP addresses. Verified the code ("It compiles! Ship it!"). Uploaded it to the Arduino board. And it - just - worked!

You can't imagine how excited i was when i was able to open up a web page, served from the Arduino, and was able to toggle a LED on and off over my LAN. I't just so neat! (or if you do know me, you can probably imagine just how excited i was :) I should have taken a picture, or a video!

So my thanks go out to Henrik Denhart who wrote the blog post and to Andrew Lindsay, coder and maintainer of the EtherShield library, and indeed the whole Arduino maker movement who with their enthusiasm and drive for openness make the platform such a wonderful thing it is!

Monday, 19 September 2011

Toys and frustrations

We live in such wondrous times when it comes to toys! I'm not only talking about prefabricated toys like touch sensitive cardboard electric guitars, affordable remote controllable helicopters that avoid walls and are meant for inside-the-house use or not-really-that-intelligent robots. I'm talking about web servers no larger than a deck of cards -- both wired and wireless (and the wireless one is more like the size of a credit card) -- stamp size microcontrollers that can speak with servos, LCD displays, lasers, motion sensors and RFID readers. These are the kind of toys that really drive me wild.

As these kind of wonderful microcontrollers with their peripherials have become both available and affordable, i've bought some of 'em to tinker with. My latest purchase is the Nanode, which is an Arduino clone with wired Ethernet built in. It's cheap, made by hackers (=enthusiasts, makers) and was delivered by mail as a bag of discrete components and a little slip of paper with an URL to the web page which has instructions on how to build the little bugger.

So i soldered. I bought magnifying glasses (yes, plus-glasses --- i'm now officially getting old) and that soldering station i've been drooling about for so long. And it was wonderful! I assume the first builders of the first Altair and Apple computers must have felt a little like this (though i freely admit that they were truly hard core, whereas i was trodding tested ground). And you can't believe my exhilaration when i managed to flash the Nanode with a DHCP test program and got the signs of life over serial that the device was really working and that it had received an IP address from my router. That, my friends, is confirmation of existence!

It hasn't been all roses of course. My current sorrow is that the Nanode i have doesn't want to co-operate with the FTDI breakout board i got from eBay.

And there are plenty of challenges in the past. I bought a Web server module from Dangerous Prototypes (love the name!). The first one had a bug in the hardware and i felt fairly stupid for quite a while since i really had no way of knowing if it was me being incapable -- a valid guess -- or the device being faulty. Ian, the very nice dude behind DP helped me get the device fixed and returned at no extra cost. I've bought a small wireless web server prototype from Sure electronics, but the only thing you can do with it is flash a LED and check its ambient temperature. They're not very explicit about it, but it seems like you should be able to reflash the hardware yourself, if i could only get the source code from somewhere. And i got the Texas Instruments wrist-mountable computer Chronos because it was on sale, but i haven't got around to coding it yet.

But hey, i'll get something working because boy, these toys are fun!

Tuesday, 30 August 2011

How not to stop your email flow when leaving your network service provider in anger

True story ahead. A customer of ours decided to leave their current network service provider. They were, let's say substantially unhappy with their service.

Now from the customer's point of view, the network service company was their "web hotel". Unfortunately, when the customer terminated their contract with network service company, they unwittingly also terminated their domain hosting service, leaving their DNS records in limbo and effectively stopping all incoming email, since the email had no idea where it should be delivered. It's like taking the name plate away from your mailbox. The mailbox still exists, but the mailman has no idea which one is yours.

Our customer has had little success in contacting their old service provider who are in no hurry servicing an angry ex-customer of theirs.

Lessons to learn:

  • Look before you leap. If you aren't 100% of what the leap means, consult someone who does.
  • If you are a network service provider, be cool and do provide service even to disgruntled ex-customers. They might tell their peers to stay clear of you, and in best case, they might even come back.
  • Don't do anything in anger.


Friday, 27 May 2011

Oops! Didn't mean to send that!

Have you been in the situation where you sent an email and then immediately went (in cinematographic drama slow motion) "Nooooooooo...! I did not mean to send that!"? I'm sure you have. I have.

If you use Gmail, there's a wonderful setting, Enable Undo Send. Set it to ten or twenty seconds, which will leave the message in the outbox instead of delivering it rightaway. Ten-ish seconds should be enough for you to get the oh-no -reaction and press Z to effectively unsend your message.

There's a similar trick for Microsoft Outlook. Create a Rule. Start with a blank rule applied when messages are sent (last on the list). Check no conditions unless you really want to tweak things. Defer the delivery by one minute (again, the last setting). No exceptions necessary (unless, again, you really want to tweak things). Give your rule a nifty name ("Delay sending by one minute") and that's it!

Outlook has a feature to "Recall a message". What it in all practice does is send a second message to the original recipient telling that you wanted to recall the message. That if anything would make the recipient want to go wow, what's he written now?. The funny thing is that your Outlook will just look smug and say that it's recalled the message (or at least attempted to). Oh yeah. Or you can buy an Exchange module to have the server delay the message deliveries, but all in all this is the cheaper option :)

Tuesday, 15 March 2011

Moving the Windows task bar between displays

At work, i have a rather nice 24" Samsung display as my main viewer, to the left of which stands my laptop. Since i do some full screen remote desktop work from time to time, i decided that maybe it's better to have the task bar on the laptop screen even if it's father from my focus and my pointer (see Fitt's law).

There are three ways you could move the task bar to the Other display.

The way that does not work - Right click the task bar and choose Properties. Click and ogle foolishly. While you can choose where on the display the Task bar will reside, there is no way to instruct Windows on which display to put it.

The cumbersome way - The really nonintuitive way would be to right-click the desktop, choose Screen Resolution (no, not Personalize, though you can get to the Screen Resolution display by clicking the Display link on the Personalization page :). Then click the relevant display and tick Make this my main display. Click OK.

The direct interaction way - Right-click your task bar and uncheck Lock the taskbar (it probably is, and should be checked). Drag it to the other display. Right-click it again and Lock the task bar. Nifty, though as a side effect, this will make your display with the task bar your main display. Not that i know what that means, but that's how the cards roll.

Friday, 11 March 2011

Email address policy firstname@domain with Exchange and PowerShell

If you don't know of Exchange (2010) E-mail Address policies, you should. If all your company's people should have an address and a secondary address and then suddenly a new address -- you need E-Mail Address Policies.

Not only that, but you also need PowerShell, since the Exchange console Email Address Policy editor does not support arbitrary email address templates. One address template it can't handle is just that, firstname@anywhere, for which you need Powershell.

Fire up your Exchange Management Shell and enter something along this line:

Set-EmailAddressPolicy -Identity 'Default Policy' -EnabledPrimaryAddressTemplate "" -EnabledEmailAddressTemplates "", ""

That last bit was the magic one. Substitute the 'Default Policy' to whatever policy you're editing and the to suite your organization.

Saturday, 5 March 2011

The spontaneously disappearing printer

In retrospect, it's all very obvious, like most things technical are. I got a case from a customer's site saying that every once in a while, they became unable to print anything and they needed to restart the printer to get output on paper. Needless to say, they were pretty annoyed about the situation. But with that information, it could have been pretty much anything. 

I called the site and asked for some details. The site in question is a small store with just a few computers and two printers. They said the problematic printer was a Brother and they use it from all the computers in the shop. I took a remote connection to their site and found through some iteration the computer providing the print queue. The shared printer turned out to be a network printer (as indicated by the Ports thing on the printer queue) so i did three things: 

  1. i started digging through any Windows event logs for errors (but couldn't find any),
  2. i had a look at the web UI of the printer, and
  3. i started a continuous stream of pings (ping -t) to the printer

There was one thing i didn't realize to do which i'll tell you in a while.

The UI was horrible to look at and had a copyright 2006 text on it. The network configuration (and other "dangerous") bits were protected by a password.

Suddenly the printer's web UI became unavailable. I looked at the ping thing but the address kept on answering. I thought that maybe the printer had faulty firmware and a flash would be in order. There was however something strange with the pings. The TTL value had suddenly changed. I checked out the ARP tables (arp -g) for the printer, flushed the ARP tables, and checked again. This could only mean one thing. There were two devices on the network with the same IP address.

The thing i had left out earlier was to check the ARP tables before i started pinging. I would then have had a MAC address for the printer as it still was available.

I called the store and asked them what networked stuff they really had there. It turned out that their credit card reader is on the LAN as well. A-ha! So keeping the ping -t up, i asked them to power off the printer -- the pings stayed up -- then unplug the credit card reader. Plop. Connections time out. Ask to power up printer. Ping response. Flush and check ARP table. And indeed, i now had two MAC addresses for that IP address. Plug in credit card terminal. TTL changes. Flush and check ARP. And the MAC address has changed. 

Target acquired. Cause confirmed.

Since i had no access to the credit card terminal, the only solution would be to change the IP address of the printer. Ping to find an unused address on the LAN. Google for the standard password of said printer (and sigh with relief that it was valid). Change the IP address of the printer. Change the IP address for the print queue's Port. Test print from all computers. Phew. Mission accomplished.

So what can be learned here? Static IP addresses are bad. DHCP is good. And documenting your network is even better. Had the TTL value not changed when the pings started to go to the credit card terminal, the debugging would have taken even longer.

Needless to say, the shop's boss was very happy (and i hope he mentions it to my boss :). On Monday i shall have a look at another similar store where they have a spontaneously disappearing server...

Thursday, 3 February 2011

On a higher level

I had a nice day at work. What could have been a tedious excercise in not getting bored turned out to be one of trying out stuff i haven't tried in the wild. Normally, the job of installing two identical PCs with Windows, Office and whatnot is one that i've considered time for the mind to rest. The only part i really despise is waiting for stuff to download. Like Office.

Another thing i dislike is unnecessarily repeated effort. Thus, instead of installing F-Secure antivirus on two machines, i created an OU for computers under construction and added the .msi installer in a group policy i used for software installation. I would have used the F-Secure policy manager but the Windows firewall was blocking my attempts to overtake computers in a thusly organized fashion.

I also wanted to install the management agent we use to take care of our clients' computers, but since this installer was an .exe, i had to add it as a startup script. Fortunately the installer has a switch to not have it run if the agent already is installed.

I then proceeded with trying out Published apps (versus the Assigned ones above). I put Google Chrome ("business" edition) and Adobe Reader X for installation on demand. Reader complained that it didn't have any options to set (or something) but both installers were visible on the client computers' Install from the network control panel bit.

After that the two machine users were to have a catalogue software they use in their work. These installers come as old fashion CDs with loads of everything. At this stage i started experimenting with RemoteApps. The client has a terminal server that they really didn't use for much. I might have added a TS RemoteApp role service there, but after that it was a thoroughly enjoyable ride. I installed the software on the terminal server and added Domain Users as ones who are allowed to make remote desktop connections to the server. Then i opened up the Terminal services RemoteApp admin tool and added the newly installed program as a RemoteApp. Then i was struck by lazy so i just created an .rdp file for the app and saved that in a shared folder. Sure there are more elegant ways but this was good enough...

In the end, the RemoteApp worked fine on a Windows 7 machine but less so on an XP, which croaked that the machine name didn't match the certificate.

So to recap, no higher magic was applied. These are all normal stage tricks, but ones that i'd never actually bothered trying, and ones that turned out really fun to try!

I know i'm being less technically specific in this posting, but there was not really that much magic involved. I can fill in the specs if anybody needs 'em.

Sunday, 23 January 2011

En god dag

Efter all stress känns det härligt med ett alldeles vanligt veckoslut. Jag har varit ute med ungarna i pulkbacken (bildbevis på nylleboken), vi har ätit veckoslutsmat, sett på teve, tagit det lugnt. Har det hänt nåt speciellt så har jag glömt vad det var.