Category Archives: General

http://xkcd.com/303/

got-svn problems on Mac – Mountain Lion

Posted by on

This came from an Atlassian article that appears to no longer be available or has moved. I pulled this from the Cached version of the article on Google for reference. Hopefully this will others having the same problem with git-svn Mac.

Symptoms

git-svn repositories fail to clone/pull/push from Subversion after upgrading to Mac OS X 10.8 Mountain Lion

Cause

Mountain Lion removed the default install of Subversion and the bindings to other languages.

Workaround

On a fresh Mountain Lion install, the simplest way to get git-svn working again is to:

  1. Install XCode 4.4
  2. Open XCode and in Preferences > Downloads, click ‘Install’ next to ‘Command line tools’
  3. In SourceTree, open Preferences > Git and click ‘Use System Git’, confirming your git path

git-svn should now work again

wpid-20121129_113451-1.jpg

Old School Layout

Posted by on

I thought it might be good to show a little vulnerability. <grin>

Today, going low-tech helped me see the forest and the trees. Well, that and a discussion with a colleague. Events of late have really zapped my creative juices. A quick phone call and paper helped show a simpler solution.

Hopefully this brings a smile to your day.

Blessings!

Browser_mode

Internet Explorer Quirks Mode with HTML Comments

Posted by on

Interesting lesson was learned on a client’s project recently. We know that you will typically add the follow meta tag in the head:

<meta http-equiv=”X-UA-Compatible” content=”ie=edge,chrome=1″>

Now, this works as it should most of the time, however, I ran into an instance where IE 9 was still going into quirks mode. After spending 30 minutes or so banging my head against the wall, I saw that I had previously added an html comment to the top of all the WordPress templates. This was done during development to make it easy to view source and make sure the right template was being called in the right places for the complex site that was being built. I pulled the comments at the top out and *Walah*, IE rendered the pages in standards mode.

The lesson is that you must not have HTML comments prior to this meta tag. Doing so causes IE to fail to load this meta tag or so I thought. After a bit more experimentation and Googling it seems that the real culprit is having anything prior to the this StackOverflow answer.

So, lesson learned. Those benign HTML comments are maybe not so benign after-all.

Cheers and blessings!

 

Enable access-based enumeration on Windows 2008 R2 File Share

HTTP Commander and Windows 2008 R2 Server File Shares

Posted by on

Evaluating HTTP Commander

HTTP Commander and Windows 2008 R2 Server File SharesThis week we have evaluated the HTTP Commander (HTTP Commander) product by Element-IT product as a solution to a web-based file manager project. Our evaluation found many things to like about this product including the ability to use Active Directory authentication. Via impersonation, the application also honors NTFS permissions on remote file shares. This item was what really sells HTTP Commander as the right solution in our case.

During our testing, we ran across an interesting problem. When using HTTP Commander as a less privileged user, we could navigate to folders that we should not be able to on remote folders. Now, we were denied access to download files, but being able to navigate folders you don’t have rights to seemed wrong. A quick email to Element-IT support and we began troubleshooting the issue with them.

After a few remote sessions of troubleshooting, we arrived at a point where the application was indeed doing what it was supposed. The problem was that Windows was granting access when it should not. Thanks be to God for a good nights sleep and some time to dig. The solution was found.

The Solution – Access-Based Enumeration

HTTP Commander and Windows 2008 R2 Server File SharesWhen creating file shares on a Windows 2008 R2 Server, you will most likely be doing so via the File Server role. In this file server role, there is a file share management console used for creating and managing file shares. In this tool, there is a setting that is off by default that is labeled “Enable access-based enumeration“.

According to Microsoft

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

Reading this description makes perfect sense. The funny thing is that this setting is not turned on by default. Is there a reason why administrators would not want to default to this setting so that users don’t see things they do not have access too?

Thankfully, for us this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation. As an aside, I was extremely pleased with the remote support offered by Element-IT and Sergey. Twice I ended a remote support session suggesting it was probably something on our end and I would let them know if we found the problem. On both occasions, I arrived at the office with an email in my inbox from Sergey with another idea and offer to do another support session. Keep in mind that this level of support was all offered prior to our purchase of the product. Kudos to Sergey and the team!

Photo by Stinging Eyes via Flickr Creative Commons

Event ID 11 – Service Principal Name Configuration

Posted by on

In the wee hours of the morning, a colleague and I set to changing out administrative passwords and migrating some admin accounts to service accounts to better reduce our security risk footprint. We completed the task and began double checking services and applications. It quickly became clear that we were no longer able to log into one of our domain controllers, a Windows Server 2008 R2 machine. Red Alert! We began receiving the following message when attempting to log into the DC.

The security database on the server does not have a computer account for this workstation trust relationship.

After a lot of odd looks and log reviews, we decided to restart the DC into safe mode WITHOUT networking. Doing so allowed us to log into the DC with the previous administrator password. (Remember we had just changed the master admin password from one of the other DC’s). Now that we were in the problem DC, we could see the event logs. Two sets or errors peaked our interest.

Provider: Microsoft-Windows-Security-Kerberos
Event ID: 3
Error Message: KDC_ERR_S_PRINCIPAL_UNKNOWN

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 11
Error Message: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is ProtectedStorage/servername.example.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for ProtectedStorage/servername.example.com in Active Directory.

A bit of Googling found us narrowing things down to what seemed to be a problem with an SPN (Service Principal Name) entry somewhere.

http://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

http://support.microsoft.com/kb/321044

All of the recommended means of finding the missing or duplicate SPN were failing to show us exactly where to resolve the issue. Finally, a simple ping from the MacBook Pro terminal window gave the answer. Pinging the IP address of the problem DC showed a round robin effect with each ping response resolving to two DNS host names.

The Solution in a CNAME

Recently we had created a CNAME entry that pointed to a specific DC for use by all of our applications need Active Directory integration of LDAP authentication. Our thought was that doing so would mean no application configuration changes when we rebuilt/renamed our DC’s over the next month. Doh! Since we created a CNAME in the Active Directory DNS zone, it actually registered the SPN entries resolving both to this particular DC. This was the cause of the problem

Removing the CNAME record and replacing with an A host record solved the problem.

Thanks be to God for that solution without ill effect. Event ID 11 Service Principal Name Configuration

3859852351_d65f71267b

Cannot Edit LDAP User Directory in Confluence

Posted by on
Cannot Edit LDAP User Directory in Confluence

Image Courtesy of walknboston via Flickr CC

While working to migrate several web applications and update infrastructure, we also wanted to make some changes to the settings for our LDAP/Active Directory authentication for both Atlassian Confluence and Jira. Before Confluence 3.5, the custom authentication configurations we set in the atlassian-user.xml file. Starting with Confluence 3.5, these settings were automatically upgraded into a database stored and Confluence UI managed User Directory.

To my amazement, we went into Confluence –> Confluence Admin –> User Directories. Wow, there was not ability to edit the user directory configured for our Active Directory/LDAP authentication. After a bit of searching, the answer was simple, although i think this is a simple UX opportunity, i.e. notification box.

See, I was logged into my Active Directory account in Confluence. Doing so, I was authenticated against this user directory. Therefore, I was not allowed to edit the user directory since doing so might lock me out. The solution was to create an admin account that used the internal user database. Be sure to give the admin user the correct group permissions to be able to administer Confluence. Then it was just a matter of logging out of Confluence as myself, logging back in as the locally created admin user and easy as pie we could edit the user directory configuration.

Go figure.