Tom's FreeBSD blog

July 21, 2010

Finding a user’s primary group in AD

Filed under: Active Directory — tmclaugh @ 1:30 pm

Active Directory is at its heart LDAP and Kerberos on steroids. For what I’m concerned with in regard to *nix hosts that’s it. On the host it’s nss_ldap for user info and MIT or Heimdal kerberos for authentication like it would be in a pure *nix environment. The only need for Samaba is for the simplicity of adding hosts to AD and managing the kerberos keytab file. The net command fills the role of kadmin. All that could even be done using a Windows hosts and transferring a keytab file to a *nix host to eliminate Samba if you really wanted to do the extra work. While working with Apache’s mod_authnz_ldap and and mod_authz_svn I’ve run into an idiosyncrasy with user primary groups which is a result of how AD stores that information differently from a traditional OpenLDAP setup.

AD stores user group info with both the group and the user. On the group, user DNs are stored in the member attribute. Using Python:

>>> import ldap, pprint
>>> l = ldap.initialize('ldap://example.com')
>>> l.simple_bind_s('tmclaughlin@EXAMPLE.COM', '********')
>>> pprint.pprint(l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'cn=Domain Admins', ['member']))

[('CN=Domain Admins,OU=Groups,DC=example,DC=com',
 {'member': ['CN=TMCLAUGHLIN,CN=Users,DC=example,DC=com',...]})]

On the user, supplemental group DNs are stored in the memberOf attribute while their primary group in the primaryGroupID attribute with the group’s Windows RID value.

>>> pprint.pprint(l.search_s('cn=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'sAMAccountName=tmclaughlin', ['memberOf', 'primaryGroupID']))

[('CN=TMCLAUGHLIN,CN=Users,DC=example,DC=com',
 {'memberOf': ['CN=Radius Admins,OU=Groups,DC=example,DC=com',
   'CN=Domain Server Admin,OU=Groups,DC=example,DC=com',
   'CN=Employee,OU=Groups,DC=example,DC=com',
   'CN=Schema Admins,OU=Groups,DC=example,DC=com',
   'CN=Domain Admins,OU=Groups,DC=example,DC=com',
   'CN=Enterprise Admins,OU=Groups,DC=example,DC=com'],
  'primaryGroupID': ['513']}
)]

It’s easy enough to search and find a user’s supplemental groups but their primary group is a little harder. The RID is the last component of the group’s SID. (See Windows SID Structure for further explanation of SIDs and their components.) The RID is not stored as a separate attribute of the group but is contained in the group’s objectSid attribute which stores the group’s SID in a binary encoded form.

>>> pprint.pprint(l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'cn=Domain Admins', ['objectSid']))

[('CN=Domain Admins,OU=Groups,DC=example,DC=com',
 {'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x007~;e\xa0\x07\xe4I\x18IF\x17\x00\x02\x00\x00']})]

In order to find the user’s primary group you need to first determine the domain SID, then convert it to a string, and finally search for the <domain SID>-<group RID> value. I wasn’t sure how to convert the SID value stored in AD to a string but with some help from web2ldap I was able to see how to do it:

def sid2str(self,sid):
 srl = ord(sid[0])
 number_sub_id = ord(sid[1])
 iav = struct.unpack('!Q','\x00\x00'+sid[2:8])[0]
 sub_ids = [
 struct.unpack('<I',sid[8+4*i:12+4*i])[0]
 for i in range(number_sub_id)
 ]
 return 'S-%d-%d-%s' % (
 srl,
 iav,
 '-'.join([str(s) for s in sub_ids]),
 )

The result is the following steps:

# Get RID of primary group
>>> pri_grp_rid = l.search_s('cn=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'sAMAccountName=tmclaughlin', ['primaryGroupID'])[0][1]['primaryGroupID'][0]
# Get domain SID
>>> domain_sid = l.search_s('dc=example,dc=com', ldap.SCOPE_BASE)[0][1]['objectSid'][0]
# Convert domain SID to string form
>>> domain_sid_s = sid2str(domain_sid)
# Search for group with <domain SID>-<group RID> objectSid value
>>> pprint.pprint(l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'objectSid=%s-%s' % (domain_sid_s, pri_grp_rid), ['cn']))

[('CN=Domain Users,OU=Groups,DC=example,DC=com',
 {'cn': ['Domain Users']})]

Comments (0)

July 20, 2010

mod_authz_svn and AD group synchronization

Filed under: Active Directory,Apache — tmclaugh @ 2:29 pm

I have a semi-private SVN repository served up over Apache at my job where I keep all my work. It’s semi-private in that I want my group at to have read and write access. Employees to have read access in case they find anything interesting. And finally non-Employee domain accounts should have no access. Down the road I may want some more flexibility in this setup. Possibly restricting all access to parts of it to just Domain Admins while giving write access to certain other people or groups in the company to certain projects. Rather than creating separate repos with their own separate Apache configs I decided on path based authorization.

There is a downside to this approach and it is how to use our AD groups to control access. By creating separate repos I could use mod_authnz_ldap to authorize access based on our AD groups. I’ve found mention of patches to mod_authz_svn to add LDAP functionality but no patches to try out. With path based authorization I needed a way to keep the groups in the authz file in sync with our AD groups. I ended up settling on a script I found here and run it as a cron job.

Using LDAP Groups With Subversion’s Authz File

[root@corptech ~]# ./sync_ldap_groups_to_svn_authz.py -d cn=nss_ldap,ou=services,dc=example,dc=com \
-p <password> -l ldap://example.com -b ou=groups,dc=example,dc=com -i sAMAccountName \
-z /srv/svn/authz.conf

The script works well but has a few issues. I’ve merged some of the patches in the comments section of that post to his script. These include the fix for the “Invalid cross-device link” error and the patch to handle paged searches. I left out some others since they weren’t useful to me and the time to merge unformated patches (the comments section strips white spaces) wasn’t worth it. I’ve also added support for handling ranged attributes. A Windows 2k3 DC will only return 1500 values of a multi-valued attribute at a single time. This is not to be confused with the page size limit which in Windows 2k was 1000 values and the same as the default page size limit. This is a hard limit and cannot be changed.

Python 2.6.2 (r262:71605, Apr 14 2009, 22:40:02) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap, pprint
>>> l = ldap.initialize('ldap://example.com')
>>> l.simple_bind_s('tmclaughlin@EXAMPLE.COM', '*********')
(97, [])
>>> r = l.search_s('ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'cn=Employee')
>>> pprint.pprint(r)
[('CN=Employee,OU=Groups,DC=example,DC=com',
 {'cn': ['Employee'],
 'dSCorePropagationData': ['20100412182218.0Z',
 '20100412181952.0Z',
 '20091218151750.0Z',
 '20091216205638.0Z',
 '16010714223649.0Z'],
 'description': ['Example Company's Employees'],
 'distinguishedName': ['CN=Employee,OU=Groups,DC=example,DC=com'],
 'groupType': ['-2147483646'],
 'instanceType': ['4'],
 'member': [],
 'member;range=0-1499': ['CN=TMCLAUGHLIN,CN=Users,DC=example,DC=com',
....

We have over 3000 members of our Employee group so this became a problem. The patch linked at the end of this post includes the two previously mentioned patches along with the ability to handle large groups. One thing the patch does not handle is the way AD handles primary group membership. A user is not listed in the member attribute of their primary group and the group is not listed in the memberOf attribute of the user.

>>> r = l.search_s('cn=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, 'cn=tmclaughlin', ['memberOf', 'primaryGroupID'])
>>> pprint.pprint(r)
[('CN=TMCLAUGHLIN,CN=Users,DC=example,DC=com',
 {'memberOf': ['CN=Employee,OU=Groups,DC=example,DC=com',
 'CN=Radius Admins,OU=Groups,DC=example,DC=com',
 'CN=Domain Server Admin,OU=Groups,DC=example,DC=com',
 'CN=Schema Admins,OU=Groups,DC=example,DC=com',
 'CN=Domain Admins,OU=Groups,DC=example,DC=com',
 'CN=Enterprise Admins,OU=Groups,DC=example,DC=com'],
 'primaryGroupID': ['513']})]

The primaryGroupID attribute refers to the last part of the primary group’s SID. In this case it’s Domain Users. Unfortunately I’m not sure how to properly convert the objectSid attribute of a group from its binary form to a string in order to attempt a match. For now I have no way to handle syncing primary groups. I’m open to suggestions though.

sync_ldap_groups_to_svn_authz.py.diff

Comments (0)

July 15, 2010

mod_auth_kerb + AD and LDAP authorization

Filed under: Active Directory,Apache — tmclaugh @ 12:34 pm

It’s not enough to authenticate a user. You need to also check their authorization to see if that person should be allowed access. With Apache at work I use mod_auth_kerb for authentication and it works well. Both IE and Firefox will send the user’s domain credentials via GSSAPI once configured correctly.* The next step is to setup mod_authnz_ldap so we can check user account information. Probably the most common authorization check people might use is a group membership check. You probably have content which you only want your administrators to have access to. The combination of mod_auth_kerb and mod_authnz_ldap does not work directly out of the box. Additionally, Active Directory throws another wrench into the problem.

Setup for mod_auth_kerb is simple enough. With the system joined to AD already you can easily use Samba to create your HTTP SPN using the following command:

# net ads keytab add HTTP

Additionally you should use ktutil to extract only the keys for the HTTP/machine.example.com principle to a separate keytab readable by the apache process. Once that is done the following in your Apache configuration will have kerberos authentication working:

<Location /private>
  AuthType Kerberos
  AuthName "EXAMPLE Domain Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

This location isn’t really private since every authenticated user has access to this content. I want to restrict this content to our Domain Admins group in AD. This is where mod_authnz_ldap comes in. Once the user is authenticated I want to check their group membership. Now the config block has been expanded with an authorization check to check the user’s group membership.

<Location /private>
  AuthType Kerberos
  AuthName "EXAMPLE Domain Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab

  AuthLDAPURL "ldap://dc1.example.com dc2.example.com/dc=example,dc=com?sAMAccountName"
  AuthLDAPBindDN cn=nss_ldap,ou=services,dc=example,dc=com
  AuthLDAPBindPassword ********
  Require ldap-group cn=Domain Admins,ou=Groups,dc=example,dc=com
</Location>

What I’ve done above is in AuthLDAPURL first given two domain controllers to search for user information in case one is down. (Remember the quotes if you specify multiple DCs.) I’ve then specified that mod_authzn_ldap should perform searches from the domain root. And finally, I want it to search for the entity with the sAMAccountName equal to the username provided by kerberos. With AD you need to use sAMAccountName and not uid since uid is only available if you’ve extended the AD schema for POSIX info and entered it on the account. sAMAccountName is your guaranteed unique username. The AuthLDAPBindDN and AuthLDAPBindPassword lines are the DN and password of a user in AD with read only access to certain parts of the directory tree to get user information. In my case it’s the same user I use for nss_ldap. Finally I specify the DN of the group that the user is required to be a member of. This will still not work though and you’ll see the following in your error log:

[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1432): [client 172.30.20.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1432): [client 172.30.20.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1147): [client 172.30.20.2] Acquiring creds for HTTP@corptech.example.com
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1266): [client 172.30.20.2] Verifying client data using KRB5 GSS-API
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1282): [client 172.30.20.2] Verification returned code 0
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1300): [client 172.30.20.2] GSS-API token of length 163 bytes will be sent back
[Thu Jul 15 09:33:49 2010] [debug] src/mod_auth_kerb.c(1348): [client 172.30.20.2] set cached name TMCLAUGHLIN@EXAMPLE.COM for connection
[Thu Jul 15 09:33:49 2010] [debug] mod_authnz_ldap.c(683): [client 172.30.20.2] ldap authorize: Creating LDAP req structure
[Thu Jul 15 09:33:52 2010] [debug] mod_authnz_ldap.c(695): [client 172.30.20.2] auth_ldap authorise: User DN not found, ldap_search_ext_s() for user failed

This is because the kerberos supplied principle is in the form of <username>@EXAMPLE.COM while their sAMAccountName is simply <username>. There is no attribute created by default in AD with the user’s full kerberos principle name. There are two ways of mangling the kerberos principle to work in an LDAP search. One is a patch to mod_auth_kerb which adds the “KrbStripDomain” directive to remove the user’s realm and pass only the username to mod_authnz_ldap. The other is mod_map_name which lives in the mod_auth_kerb CVS here:

http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/

I don’t like the idea of patching distro packages so I chose the latter option. It’s not available as a tar ball from the project’s site so you need to retrieve it from CVS, autoconf it, build, and install it. (I’ve emailed the author asking if he would create an official release. Waiting to hear back.) With that module now installed and loaded a simple line to mangle the user’s kerberos principle into the user’s sAMAccountName is added.

<Location /private>
  AuthType Kerberos
  AuthName "EXAMPLE Domain Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab

  # Strip the kerberos realm from the principle.
  MapUsernameRule (.*)@(.*) "$1"

  AuthLDAPURL "ldap://dc1.example.com dc2.example.com/dc=example,dc=com?sAMAccountName"
  AuthLDAPBindDN cn=nss_ldap,ou=services,dc=example,dc=com
  AuthLDAPBindPassword ********
  Require ldap-group cn=Domain Admins,ou=Groups,dc=example,dc=com
</Location>

The mod_map_user documentation gives other creative examples of how to use it which can be combined with the AuthLDAPURL but I found this to be the simplest and fit my needs. You could probably tune MapUsernameRule and AuthLDAPURL to place less load on your AD controller if you wanted/needed to.

AD however appears to throw a wrench into mod_authnz_ldap while trying to search for an entity with a sAMAccountName value of the transformed username. The error log indicates the kerberos realm was stripped but mod_authnz_ldap still had problems finding a match.

[Thu Jul 15 11:48:49 2010] [info] [client 172.30.19.45] Applying pattern '^(.*)@(.*)$' to user 'TMCLAUGHLIN@EXAMPLE.COM', mech:'Any'
[Thu Jul 15 11:48:49 2010] [info] [client 172.30.19.45] Pattern matched
[Thu Jul 15 11:48:49 2010] [notice] [client 172.30.19.45] User name 'TMCLAUGHLIN@EXAMPLE.COM' rewritten to 'TMCLAUGHLIN'
[Thu Jul 15 11:48:49 2010] [debug] mod_authnz_ldap.c(683): [client 172.30.19.45] ldap authorize: Creating LDAP req structure
[Thu Jul 15 11:48:52 2010] [debug] mod_authnz_ldap.c(695): [client 172.30.19.45] auth_ldap authorise: User DN not found, ldap_search_ext_s() for user failed

After scratching my head for a bit I resorted to a packet trace between the web server and DC. What I found was a search for “(&(objectClass=*)(sAMAccountName=TMCLAUGHLIN))” which yielded a result. But, since the result was performed at the root of the directory the DC also returned referrals which mod_authnz_ldap attempted to search and fail in doing so. I’d assume this should work but I had to workaround it. The solution was to make the search path where all our users are. This could be a problem depending on your tree layout however.

<Location /private>
  AuthType Kerberos
  AuthName "EXAMPLE Domain Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab

  # Strip the kerberos realm from the principle.
  MapUsernameRule (.*)@(.*) "$1"

  AuthLDAPURL "ldap://dc1.example.com dc2.example.com/cn=users,dc=example,dc=com?sAMAccountName"
  AuthLDAPBindDN cn=nss_ldap,ou=services,dc=example,dc=com
  AuthLDAPBindPassword ********
  Require ldap-group cn=Domain Admins,ou=Groups,dc=example,dc=com
</Location>

With all this in place I’m now able to successfully authenticate access to content and authorize them based on the AD group membership. One import note though. If it’s really that important to restrict access to content then SSLRequireSSL should be added. I simply left it out for debugging and setup purposes.

* For Firefox in about:config you can add “*.example.com” to “network.negotiate-auth.trusted-uris”. For IE the default settings for the Intranet Zone is to send credentials automatically. However, if you use an FQDN it assumes the host is part of the Internet Zone and you need to add “http://*.example.com” to the list of sites in the Intranet Zone.

Comments (4)

July 14, 2010

mod_auth_kerb + Windows AD and “Server not found in Kerberos database”

Filed under: Active Directory — tmclaugh @ 3:13 pm

At work we’re a predominantly Windows shop but I have a machine which had CentOS 4 loaded on it which I used for various *nix related experimentation. I’m our AD admin so I’ve used it a bit for kerberos and LDAP interoperability testing. AD is pretty much krb5 and LDAP on steroids and it’s not hard to get a *nix machine to authenticate against and pull user info from it. I set this box up a few years ago and recently decided to do a fresh install and move it to CentOS 5. This fresh install however had some kerberos issues due to some things I forgot I did years back.

When I was first toying with kerberos on this box and authenticating against AD I used some older instructions which avoided Samba.

http://grolmsnet.de/kerbtut/

This worked just fine but step 6 caused me headaches after I installed CentOS 5 and decided to use Samba to join my machine to AD and use it to manage the kerberos keytab on it. The instructions call for creating a dummy account and using ktpass.exe on a Windows box to generate a keytab file and a corresponding HTTP SPN. I created an AD user called http_corptech which had the SPN HTTP/corptech.example.com@EXAMPLE.COM attached to it. Once I had the keytab in place and mod_auth_kerb setup this worked fairly well.

When I installed CentOS 5 on the machine I decided to use Samba for managing domain membership since it had advanced over the years and now had the ability to manage the kerberos keytab. After /etc/krb5.conf was setup the following two commads took care of my domain membership:

# net ads join -U tmclaughlin
# net ads keytab create

A few days ago I went to setup mod_auth_kerb again. I used the same config I’ve always used and currently have working on other machines and used the following command to create my HTTP SPN

# net ads keytab add HTTP

However, I received 401 errors when trying to access protected content. I decided to crank Apache’s LogLevel up to “debug” and watched error_log. The following was what I saw:

[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1432): [client 172.30.19.45] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1432): [client 172.30.19.45] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1147): [client 172.30.19.45] Acquiring creds for HTTP@corptec.example.com
[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1266): [client 172.30.19.45] Verifying client data using KRB5 GSS-API
[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1282): [client 172.30.19.45] Verification returned code 589824
[Tue Jul 13 23:54:27 2010] [debug] src/mod_auth_kerb.c(1309): [client 172.30.19.45] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Tue Jul 13 23:54:27 2010] [error] [client 172.30.19.45] gss_accept_sec_context() failed: Invalid token was supplied (No error)

I saw for some reason with tcpdump that both Firefox and IE were attempting NTLM negotiation instead of GSSAPI when attempting to access this content. I spun my wheels with this error for a bit. Eventually I enabled KrbMethodK5Passwd for mod_auth_kerb which I had disabled previously to make sure tickets were working correctly. If my ticket was being rejected there was already something wrong and dealing with a password prompt was just a waste of time. When I did this I found the following in error_log.

[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(1432): [client 172.30.19.45] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(915): [client 172.30.19.45] Using HTTP/corptech.example.com@EXAMPLE.COM as server principal for password verification
[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(655): [client 172.30.19.45] Trying to get TGT for user tmclaughlin@EXAMPLE.COM
[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(569): [client 172.30.19.45] Trying to verify authenticity of KDC using principal HTTP/corptech.example.com@EXAMPLE.COM
[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(584): [client 172.30.19.45] krb5_get_credentials() failed when verifying KDC
[Tue Jul 13 23:55:21 2010] [error] [client 172.30.19.45] failed to verify krb5 credentials: Server not found in Kerberos database
[Tue Jul 13 23:55:21 2010] [debug] src/mod_auth_kerb.c(994): [client 172.30.19.45] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)

I could see now that there was a problem with the kerberos setup somewhere. I had already created a new keytab file and even removed and rejoined the machine to AD. Finally it struck me. The “Server not found in Kerberos database” error message was not entirely accurate. It’s not that the SPN wasn’t found in AD… It was that multiple objects in AD had that SPN. Both the computer account I created with Samba and the old dummy user I had created had a servicePrincipalName attribute with the SPN HTTP/corptech.example.com. Once I deleted the dummy account from AD and it propagated kerberos authentication worked just fine. Anyone who has used the older instructions I used before and now plans on using Samba to manage the kerberos keytab will probably find this info helpful. The kerberos error about the server not being found will probably lead you off in the wrong direction.

p.s. I had a similar issue with ksu before on the machine when I first installed CentOS 5. I had created a host_corptech user so I could get tickets originally and was receiving the same error.

Comments (0)

February 2, 2010

VMware serial consoles.

Filed under: FreeBSD,Virtualization — tmclaugh @ 5:45 pm

I’ve recently run into a problem with 7-STABLE on VMware ESXi 3.5u4. With a recent change my VM shuts off shortly after probing the LSI (mpt) disk controller. The same behavior started occurring over the summer in HEAD and the quick workaround is to change the VM’s disk controller type from LSI to BusLogic. Lately I have some time to poke people about this issue so I figured I would. The problem is getting as much as I can while booting and having some usable boot messages for someone to look at. This would usually be accomplished by redirecting console output to a serial port on the problem machine and hooking up a cross over cable between it and another box. I haven’t done this on VMware before though so I had to do a little googling and it’s pretty simple.

On the FreeBSD side the following needs to be added to /boot/loader.conf:

console=”vidconsole,comconsole”

This will redirect the console to both the video display and a serial port. Once that is done shutdown the VM so the serial port can be added and configured.

With the crashing VM turned off go to “Edit Settings”:

Click the “Add” button to add a serial port to the VM:

For the serial port output select “Connect to named pipe”:

Finally configure the pipe:

The name of the pipe should be a file location on the VM host machine, not the guest. The near end is “Server” since I want to see the output from this VM and the far end will be another virtual machine. For the VM I’ll be connecting from to view the console output I would do the same but near end would be “Client”.

Once all this is done, from the second working VM launch cu(1).

# cu -l cuad0

After that boot the crashing VM and kernel messages should appear on the second VM. That’s all it takes to setup a serial connection between two FreeBSD VMs on VMware.

Update: Images fixed.

Comments (3)

June 21, 2009

Tehran on September 11th

Filed under: FreeBSD — tmclaugh @ 8:43 pm

The following is from a report on 60 Minutes II back in October of 2002. NITV is a California based Iranian-American TV station carried internationally via satellite with viewership in Iran.

And the mullahs really couldn’t take what NITV did on Sept. 11. Hours after the attacks, Zia [Ataby] took to the air with a message for Iranian youth: “To show your feeling and share your feelings with American people, come to the Mossani square in Tehran and bring your candle.”

They brought their candles and their voices, shouting, ”Death to terrorists.” Six thousand demonstrators were called to the streets of Tehran by Zia Atabay in North Hollywood, the only show of support for America in the Islamic world.

Note: I’ve tried searching for video of the orignal report but cannot find it. If anyone can help me out with that it would be pretty sweet. Thanks.

Update: Only article I was able to find on the event filed when it occured.

Comments (1)

March 26, 2009

Some days in Ireland – Thursday

Filed under: Ireland — tmclaugh @ 11:10 pm

Headed into Ciddy Center with Jayme on Thursday for the afternoon as a minor repeat of Monday. Mostly was just hungry and wanted to eat in town and have something local. We got dropped off on the quay and made our way around the streets. Looked down a side street and glanced a sandwich board which said “Food served all day” and decided to head towards it. It was The Gingerman which we had heard people mention before. As we sat and looked through the menu I looked around the place. Was trying to figure out what to drink while I was looking around the bar and noticed most people were having tea, coffee, or soda. Kind of struck me that no one was having a beer. Not uncommon at home for people eating lunch out during the week to have a beer with their meal even if it’s during the work day. Later was told by someone that people don’t typically do that here. I ordered a tea. With that I ordered the Irish stew which I knew I had to eventually have since I love lamb and don’t find lamb stew too often at home. On the subject of food I knew people would ask me if I had Irish stew and I couldn’t say, “No, but do you know what crubeens are?”. It was served piping hot and quite good. Later on Pat the owner stepped by to clear our dishes and we started talking to him. Told him we saw the sandwich board and decided to make our way over here. He then went into the local bureaucrats who kept threatening him because the board used to be at the end of the block where it was easier to see. He’s seen other boards in the spot he used to put his so he may put his back there eventually. Pat’s never been to the US and wish he had gone. His wife doesn’t like flying too much and a a 5-6 hour plan ride is just beyond her. Most of their travels have been wherever they can get in about 2-3 hours by plane. I told him to leave his wife at home but as he’s gotten older he less enthusiastic to fly as well. He also told me he wouldn’t tell is wife what I had just said.

After we left the Gingerman we strolled around for a short bit more. We walked into the shop we had been in on Monday and looked for things for people back home. No one really expects any gifts from me. I don’t even buy stuff for myself when i go places other than a shot glass to add to my collection. I don’t need tons of crap, just something to look at and remind me where I’ve been and everything important comes back to me after that. For that reason I don’t see the point of giving other people crap when I get back. “Here’s the fridge magnet I got when Tom went to Ireland.” It ends up being some random junk hanging around their house with no meaning to them. I did however ask about another O’Meara name placard for my grandmother due to the horrible printing on the one I found but she said they had no more and that particular card was just terrible. I figured that might mean something to her. Looked around the rest of the things there and there were tons of Guinness stuff but really I could get any of that back home. Only difference would be the pint seal on the glasses. Settled on a crystal mini-tumbler which said “Ireland” on it with the island cut into it.

Jayme and Keith were leaving for Dublin that evening by train and she had to be home soon and pack. I was supposed to join them the next day. She grabbed a cab and I walked around some more doing touristy stuff like seeing the old sites and taking pictures. Reginald’s Tower was open this time so I went in to see what it was all about. It formed a corner of the city walls that protected the former Viking settlement and is the oldest standing urban civic structure. In addition was where Strongbow of the Anglo-Norman invasion force met the daughter of the King of Leinster, Aoife. Aoife (anglicized as Eva) happens to be a pretty popular name in Waterford because of this story. As I made my way around I made sure to mind all the “Watch your head” signs as most of the doorways were as high as about my chin. As I climbed the stairwells in between each floor the height seemed to decrease. Not too bad when walking upstairs as I just had to hunch forward. A lot harder walking downstairs as I had to lean backwards to get down. My hair is styled upwards in the front so I moved slowly and used it like a cat uses it’s whiskers to make sure I wasn’t about to smack my head. I made it out alive and without leaving blood anywhere. From there I just walked around and took pictures before grabbing a taxi back.

Later that night I went out to dinner with someone from Waterford. Emiliano’s is a small Italian restaurant in Waterford and one of its best. After dinner we spent sometime at the Gingerman. Pat had just left a half hour before we arrived unfortunately. Afterwards we went down to Ruby’s for a few drinks. Another band playing tonight. Still got a kick out of “Burning Love” being followed by a Kings of Leon song. Made it to Muldoons across the street after a round and there were a few more people than the night before. One of the bartenders was the bassist from the band the night before at Ruby’s. It was their third gig and I wished them luck, and then downed my Jaegerbomb. Ended up dancing after that for a little bit. Next we ended up in Harvey’s for a round and stayed until close.

Comments (0)

March 25, 2009

Some days in Ireland – Wednesday

Filed under: Ireland — tmclaugh @ 11:05 pm

Jayme headed out with Keith’s mom for the day. Before they left Catherine told me to clean up all the recyclable glass in the house. I did it. I spent most of the day writing and watching a little TV. Mostly just been jotting down notes each day and wanted to form something more readable for this trip. Went out that evening with Keith’s family for dinner. His parents Catherine and Michael and his sister and brother-in-law Linda and Ahren. Sat on the end next to Catherine and across from Ahren. Good seat. People don’t wrap the food they don’t finish to take away here it appears. For that reason food tends to flow down-table towards Ahren when people can’t finish things. Appetizers are different here. Back home you usually order large common appetizers for the whole table. As a guest you usually skip the appetizer page since you don’t want to be rude. Wasn’t until the last moment that I realized I was supposed to pick a starter in addition to my main course. Food was wonderful. Had to ask if the prawns still had heads on them before I ordered them. The table laughed and assured me my dinner would not be eying me. Michael also pointed out that I was drinking my Guinness wrong. I always though a thick head was incorrect and usually buried my lips into the drink to get past it. However the head is supposed to cut the bitterness of the drink. Made a mental note of that for future reference. Made it out to the Uluhru after that for a round with the family. Really awesome people and enjoyed talking with Ahren a lot.

Keith, Jayme, and I next went to Muldoons in Ciddy Center for drinks. Kind of dead. Even for a Wednesday night which is a typical college night along with Monday. (Though not nearly as crazy as Saturdays are.) We went across the street to Ruby’s afterward and planned on going upstairs with all the dance music. I was ready to leave Jayme and Keith to hear the band on the first floor though when I noticed they were playing “All Right Now” by Free. They played “Go Johnny Go” after that… And then Gerry Rafferty’s “Baker Street”?!?!?! I’ve heard that song a few times over here. Don’t hear it much at home. Band was ultimately very good. Left after their “Sweet Child Of Mine” finale and headed to Hillbillies for a snackbox. Chicken was far better than the local KFC but still couldn’t match Popeye’s. Maybe around Roy Roger’s in my friend chicken hierarchy of greatness though it tasked more garlicky than spicy.

Comments (0)

March 24, 2009

Some days in Ireland – Tuesday

Filed under: Ireland — tmclaugh @ 11:02 pm

Jayme and I hit wall on Tuesday. Both of us are still adjusting to the time difference. You might think it’s from all the drinking but not really. Guinness doesn’t give you much of a hangover. It’s one of the positives of being a Guinness drinker in the US. Even still the ciders and other beers here don’t give you much of a hangover either. Say what you will about all the drinking I’ve done here but it’s served a very useful purpose in helping me to fall asleep and hasn’t exactly impeded my functioning during the day. Anyways, we spent the afternoon watching local TV. I loved Airwolf growing up. Also, Home And Away becomes kind of addicting.

Later on that night I split of from Jayme and Keith. Went to Geoff’s in Ciddy Center. Dark. Best description I have for it. By the bar in the front there’s a line of string with reading glasses hanging on it. The bartender said they just hang all the glasses that get left there on it. Not sure if people lose their glasses because of the drinking or because they’re impossible to find i n the dark. Occasionally as I understand it people will ask to borrow a pair from the line if they’ve forgotten their own. Spent a lovely evening out with a local girl. Left when they finally kicked us out.

Comments (0)

March 23, 2009

Some days in Ireland – Monday

Filed under: Ireland — tmclaugh @ 11:00 pm

Jayme and I spent Monday walking around Ciddy Center in Waterford. It’s pretty quaint with many areas that are pedestrian only. We probably should have asked people what to do around town as we had no clue where to go or what we were doing. Waterford is the oldest city in Ireland and Reginald’s Tower is the oldest standing urban civic structure in Ireland so there should be some history. Then again, I don’t really care if I see things and stand in front of them to have my picture taken. Everybody does that. We meandered our way through the streets in and out of shops. We stepped into a small gift shop but I was not going to buy a bunch of Guinness knick-knacks. They did however have those family name placards. The had spelled it “McLoughlin” and noted “McLaughlin” as an alternative. The lineage sounded like the version I vaguely remember but the crest looked completely different. They also had an O’Meara card for my grandmother on my dad’s side but the printing was smudged a bit in a few spots so I decided to leave it and see if maybe I ran across one elsewhere.

We left the shop and kept walking the streets. Eventually we went into one of the malls. Clothes shopping was a bit of an experience for me. Found a nice shirt in one of the shops and looked for my size. I’m about a large or extra-large in the US. I’m a big guy but fairly skinny. I decided to grab an extra-large and tried it on figuring “Well, stuff runs smaller here.” I put the thing on and honestly felt like one of those guys back home wearing a smedium t-shirt. I felt like if I moved my arms back a bit I’d have some Bruce Banner incident. A double extra-large would have been more appropriate if they had one. Again, how are people so small here when they put butter on their bacon?

After leaving the mall Jayme stopped into a store and I hung around on the street. There were two kids a few doors down playing some music. They were playing Jim Croce?!?!? “Bad, Bad, Leroy Brown”. After that they broke into “The Boxer” from Simon and Garfunkel. I tossed them two Euros since I like both songs and was quite surprised to hear them. I kind of wanted to ask them why they were playing American music. Music that you really don’t hear in the US. In fact, I’ve heard a lot of good older US music since I’ve been here that I never hear at home. On the car radio later that night I heard “Roadrunner” from The Modern Lovers (and all its Boston references) and “The Ocean” from the Velvet Underground (which never even made it onto a real VU album) after it. Later as we walked there was an old man with a small dented amp playing Woodie Guthrie’s “This Land is Your Land”. I wanted to stay and see if he knew the “private property” verse. That verse and the “relief office” verse give the song a much different meaning than the version I was taught as a kid. I could barely understand his singing so I figured we might as well meander on. I know there are different versions in other nations. Was he singing an Irish version and that’s why I was confused?

By this point we were a little hungry so we stopped into McDonald’s. Yes, we went to McDonald’s while on vacation across the Atlantic Ocean. We were those tourists. However it’s worth mentioning that the Big Tasty with bacon (hey, bacon again) was actually pretty good. Way better than the Big Mac at home. It was actually, well, tasty and I’ll even say I liked it better than the burger yesterday in Tramore.

After lunch we made our way down a small street and found BPM Records which we stepped into. MUCH smaller than the music stores I know back home but actually managed to find some music to buy. Even with the large stores at home I typically find myself scouring Amazon for anything I really want. Found a recent Undertones (they hailed from Ulster) CD which I picked up. No Stiff Little Fingers CDs however. Also picked up a few other albums. Punk music, not Irish folk music.

Headed along the quays stepping in and out of places. Eventually came to the corner with Reginald’s Tower though it was closed. Across from there in the middle of the street there is a statue of Thomas Francis Meagher who was an American Civil War general. May seem weird that a statue of an American general is standing in Waterford but he was from Waterford and is most well known for designing the Irish tri-color flag. The green for the Catholics, the orange for the Protestants, and the white for peace in between.

Headed past there when Jayme and I decided to head into a pub for a drink. We came across the Green Fiddler which had previously been Paul Flynn’s. Walked in and everyone turned to look at us. Four people sitting at the bar, a man and woman at a table and the place still managed to be crowded as the room was slightly bigger than a shoebox. VH1 Classic was playing the Spice Girls on the corner TV though the bartender switched it to traditional Irish music once he realized Jayme and I were Americans. He also told the drunken Scotsman to behave himself. Once everyone found out we were Americans they wanted to talk to us. They wanted to tell us about Waterford or if they had been to America where they had been. Sinead tried to keep Ivor from chewing our ear off but I enjoyed it. After we finished our pints we then headed to Jordan’s a few blocks over which Sinead had recommended. She felt we’d get an even better view of real Waterford in a place like that than we had in a place like T&H a few nights ago.

Stepped into Jordans and it was about twice the size as the Green Fiddler with about the same amount of people. There were three guys named Brian at the bar drinking and they introduced as to Johnathan at the other end but he was “more interested in his four legged friends” on the TV. Eventually we met Jason when he emerged from somewhere else in the bar. He had spent some years living around the US. He spent some time in Queens and for a time further out on Long Island before moving to San Diego. I pressed him further about Long Island and found out he lived in the late 80′s / early 90′s in my hometown of Freeport. He was on the opposite south side of town from me when I was growing up. This makes the second person with ties to Freeport that I’ve run across here. (Well, Keith’s roommate’s girlfriend I haven’t actually met but that’s still more people in Waterford from my hometown than I know of in Boston.) Finally Keith came from work and grabbed us. Would have kept talking but we had to leave. Keith later explained that maybe talking with people who were drunk on a Monday afternoon wasn’t the best idea. I kind of see the point. I’d usually avoid those people back home but I found everyone very friendly and interesting. By the way, I had a cider there and liked it but can’t recall the name. Started with a “C” I believe. It was pumped instead of poured from a tap.

Later that evening we made our way to Rocket’s in Tramore which had been so busy the day before and I had another traditional Irish meal. Keith had told me about the ribs. They’re boiled. I had also heard about the crubeens. They’re pigs feat… Boiled. The ribs ended up being pretty good with a little bit of mustard. The meat reminded me of corned beef actually. If you took the ribs of the bone, shredded it, and threw it onto some bread with a little bit of mustard it would make a killer sandwich. The crubeens I found a little tougher to eat. I was pulling apart the bones searching for the meat but mostly had just skin along with fat and gristle that had an almost jelly like consistency. Keith finally told me that was what you ate. Later heard, “Yeah, even we don’t eat that, You’re pretty brave,” when it comes to crubeens from various people.

After dinner we went to a pub near Keith’s house. The sign on the door said “members only” which scared us a little bit. We walked in and a handful of people sat at the bar while there was a large poker game setup across the room. We later found out the sign was up from the weekend and is there to keep the knackers out and prevent trouble. Knackers are what we call Irish Travelers in the US. Had some pints and ended our evening there.

Comments (0)

Older Posts »