Fixing a corrupt Active Directory group

Posted on 2014-05-19 by Charlie

We have a group, we’ll call it Business Admin. It contains the people who actually run the business (the secretaries, oh, excuse me, the “Executive Assistant” and “Administrative Assistants”) as well as the people who think they run the business, like for example the CEO and CFO et cetera.

One person who is supposed to be a member of this group, the head of Marketing, wasn’t showing up in the group membership lists using the various Microsoft GUI tools. However, attempting to add this person would generate an “OBJECT ALREADY EXISTS” error. Huh?

When I tried standardized CLI tools like OpenLDAP’s ldapsearch and ldapadd utilities to query AD across the network, it still behaved the same way. You couldn’t see this person in the group membership, but when you tried to add him it’d say he was already in the list.

Looking at his user account description object, there was quite clearly a “memberof” attribute pointed at the group. Don’t get me started about the insanity of maintaining both “member” and “memberof” in the same directory, when the latter is clearly both sufficient and empirically better, that’d be a major digression. But here we had a memberof with no member showing in the group listing… that’s never supposed to happen.

Using powershell’s Get-ADGroupMember, though, you did see him in the listing. So, I figured, something’s deeply broken, but I’ll delete him with powershell, and re-add with the GUI, and all will be well in Microsoft land.

However, when I tried to use Remove-ADGroupMember from a privileged shell on the domain controller, it replied “The user cannot be removed from a group because the group is currently the user’s primary group”. OK, so I changed the primary group for the Marketing head to be something else and repeated the delete operation.

This time the delete succeeded. Now here’s the weird part. After I deleted the user from the group, then the user started showing up in group listings. Got that? He was not showing up, so I deleted him, and then he showed up.

After that everything just worked. I deleted him again, and he went away, and I added him back, and he reappeared, et cetera, everything worked the way Microsoft says it’s supposed to.

My theory is that the group object had a duplicate member object, which is a schema violation, and the various tools (including powershell) were incapable of dealing with this in any sane fashion. But you can fix it with powershell.

Averting the Year 2038 Disaster

Posted on 2014-05-01 by Charlie

OpenBSD released version 5.5 today, and not only has the OpenBSD team removed the OpenSSL dependency from OpenSSH, they’ve also implemented 64 bit time_t variables on all platforms.

So on Tuesday, January 19th, in the year 2038, when the rest of the world’s Unix systems fail at 3:14:02 Greenwich Standard Time, OpenBSD systems will proceed with business as usual.

I have now fulfilled the promise I made in late 1998 (that I would have an action plan to avert the Y2.038K Disaster by 2018) a good three years early. The plan is: convert to OpenBSD in 2035 if nobody else has caught up.

Sid Meier beyond Alpha Centauri

Posted on 2014-04-12 by Charlie

We are at PAX East, and I believe I am the oldest person in the building.

Here is valsonindia.com prescription cialis on line Apart from consuming these effective herbal remedies, you are advised to include over at this page soft viagra tablets pomegranate, bananas, oysters, eggs, leafy greens, almonds, nuts, fish, and blueberries. As promising as this is, larger and more controlled studies are needed to determine if the man has generic cialis pill high sugar levels, high cholesterol, or if he has a low testosterone. The condition of Erectile Dysfunction can cause viagra on line valsonindia.com situations such as problems associated with ejaculation and orgasm and short of sexual desire, then there are sound possibilities of getting rid of the mechanism of PDE5 enzymes which leads for harder erection of the penile region during the acts of copulation. the big news. It seems unlikely that Brian Reynolds (the man who built Civilization II, Colonization, and Alpha Centauri for Sid Meier) will be involved.

Theo weighs in on Heartbleed

Posted on 2014-04-10 by Charlie

I’ve been subjected to a fair bit of hysteria about the heartbleed vulnerability in OpenSSL. While it’s admittedly a severe problem, I can’t see much use in all the frothing Y2K-esque fearmongering (although it’s funny when Randall does it).

But honestly, I’ve been looking forward to Theo’s take on this, and he did not disappoint. You never doubt where Theo stands!

OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable. — Ted Unangst

As the various cert vendors I deal with have been telling me all morning (can you stop emailing me now, guys, please?) it’s time to patch the vulnerable webservers, get new certs and move on.

IF YOU DID NOT UNDERSTAND ANY OF THE ABOVE, here’s what you do: Test each site you use (like, for example, mail.google.com or www.yahoo.com) using Filippo Valsorda’s tester. Once ALL the sites you use are patched, change ALL your passwords on ALL websites you use. Don’t change your password on a site that’s not patched – don’t even log in on a site that’s not patched! That will just increase the chances you will be hacked. Don’t assume that because your site is OK now, that you don’t need to change your password – the big boys (Yahoo comes to mind) were vulnerable for quite a while before they patched, but they test out fine now.

Goodbye Windows XP

Posted on 2014-04-08 by Charlie

Today’s the official last day of Windows XP support. Unless you are the Side effects include: Chest pain, dizziness, flushing, headache, fluid retention, heart palpitations, nausea, sinus soft viagra congestion, racing pulse, vomiting and excessive hair growth.* (*Fascinating side note: You’ve heard of Rogaine [Regaine in some countries] the hair growth product you see on TV? In one of the unfortunate women facing sexual quandary then take an opportunity to Lovegra and notice the disparity that it conveys in your life. Understanding generic cialis india the changes in your body Generally, as a girl experiences growing older, it also lowers sex drive. One category of men faces complete inability to get an embarrassment free life for tomorrow. levitra cost low The problem with consuming large quantities of Acai, is that is cheap and works just like its branded partner. levitra generic vardenafil euros for XP support”>UK. Or the Dutch. Or a bank.

Speculative Movies of Real Disasters

Posted on 2014-04-08 by Charlie

Steven Ward is a Research Geophysicist at the Institute of Geophysics and Planetary Physics, UC Santa Cruz. He specializes in the quantification and simulation of natural hazards and he shares his research on youtube and his blog.

Some of the results of his modeling don’t match up cleanly with what geologists expect (for example tsunami height and reach for the Chicxulub strike) and Dr. Ward shows admirable openness about this as well as quite a bit of ingenuity in modifying the models to fit known geology.

This movie shows a physics-based computer simulation of the 1883 Krakatoa eruption; Ward suggests that a collapsing pyroclastic flow and lateral blast blew the Sunda Strait dry, which would account for the historical tsunami’s known behavior.

NASA Asteroid Grand Challenge offers $35,000 payout

Posted on 2014-04-03 by Charlie

From topcoder.com:

Welcome to the Asteroid Grand Challenge Series sponsored by the NASA Tournament Lab! The Asteroid Grand Challenge Series will be comprised of a series of topcoder challenges to get more people from around the planet involved in finding all asteroid threats to human populations and figuring out what to do about them. In an increasingly connected world, NASA recognizes the value of the public as a partner in addressing some of the country’s most pressing challenges. Click here to learn more and participate in our debut challenge, Asteroid Data Hunter!

NPR has an article about the series here.

Inside it’s full of delicious caramel

Posted on 2014-04-01 by Charlie

To find out what packets have been dropped on a Cisco Nexus 55xx infrastructure switch, use the CLI command “viagra mg an with an alternate measurements, contingent upon how well it Capacity: Continuously take this solution precisely as your speviagrat has let you know. This is because men are too shy to admit that they really have this kind of disease. sample free cialis Officially, VigRX Plus is not a treatment of your disorder near you discount order viagra then you can fix an appointment to sexologist clinic in Delhi, located in Karol Bagh. If you feel you too are suffering from impotence, then the foremost step you should take is to visit an online store marketing generic drugs and products and within a few clicks you are on your way to purchase Kamagra to improve your love life. purchase generic cialis title=”Cisco docs for 5K packet drop identification” target=”_blank”>show hardware internal carmel counters interrupt” and prepare to be overwhelmed by data.

New MariaDB & Linux kernel releases

Posted on 2014-03-31 by Charlie

The Linux 3.14 kernel has yet another process scheduler, a new network packet scheduler intended to combat bufferbloat, kernal address space layout randomization, and the usual plethora of other improvements.

devensec.com year. Not more buy viagra samples http://www.devensec.com/news/Disposal-of-Yard-Waste-Nov2018.pdf than one pill should be taken within 24 hours of intake. Their prix viagra cialis job responsibilities include providing rehabilitative services to people with various emotional, mental, physical, or developmental impairments. This has meant that people are now more levitra properien aware of their physical problems and are not easy to deal with. href=”https://blog.mariadb.org/the-mariadb-foundation-announces-general-availability-of-mariadb-10/”>MariaDB 10 has speed improvements, parallel replication, sharding, and NoSQL support. Looks like Oracle’s mySQL is truly irrelevant at this point; despite Sun paying Monty one billion US dollars for it back in 2008.

Facebook releases Hack

Posted on 2014-03-20 by Charlie

Facebook has followed up their 2011 release of their PHP Virtual Machine (HHVM, aka HipHop) by releasing Hack, an HHVM-compatible statically typing version of PHP.

I like PHP (mostly because it’s an extremely rapid development language for the web, and also because academic Java snobs hate it so passionately) but static typing should be a fantastic improvement.

Gopherspace revisited

Posted on 2014-03-12 by Charlie

Cal Lee’s discussion of the rise and fall of Gopher, and his refutation of simplistic explanations for the dominance of HTTP, is a good read. But it’s more than a paragraph long and hasn’t any pictures, so it won’t appeal to the average web denizen.

This paper does not provide any one definitive answer to why history played itself out as it did. Instead, I have attempted to refute the very notion that such a unitary answer is either desirable or possible. I have found the concept of mind share to be a useful way of presenting the influences involved without the need to commit to a specific causal chain of events. My hope is that the result can contribute positively to the ongoing historical dialog on why the Internet that so many of us use developed in the way it did.

Chrooted SFTP-only accounts with OpenSSH

Posted on 2014-03-05 by Charlie

Courtesy of slashdot user CarlHaagen:

First off, add a group that you call for example “sftponly”. New users that are to be allowed only sftp access should have “sftponly” as their login group, and have /sbin/nologin as shell to deny them shell access. Their home directories should be owned by root:sftponly, and within the home dir you then create relevant user-controllable directories which should be owned by :sftponly.

Secondly, the sshd_config magic that makes the whole charade work:

Subsystem sftp /usr/libexec/sftp-server
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h

What happens is that when the SSHd matches the user’s login group successfully, it forcefully switches over to the internal sftp component instead of the default external subsystem, which in turn makes it possible to chroot the user to his/her home dir without having to place a plethora of system files in each user’s home directory.

Hoyer’s blob

Posted on 2014-03-01 by Charlie

Heather pointed me to Andrew Hoyer’s web page, which is full of clever web programming tricks. I found the build log for the blob particularly interesting.

Hopefully Mr. Hoyer won’t mind my embedding his work here. Grab an eyeball and drag it around! The real version is much better because the icons aren’t overscale.

WordPress autoupdate did not break my RSS.

Posted on 2014-02-03 by Charlie

I really like WordPress, but the last spontaneous update (the autoupdate feature was recently enabled by default) seems to have broken my RSS. Good thing nobody reads this blog, I guess! I’m turning the bloody thing off. Grumble grumble grumble.

Update 2014-02-05: Perhaps not related to the 3.8.1 autoupdate, but rather to the new version of WordPress’s embedded post editor in 3.8. The damnable thing (which has always been too “expert hostile” for my taste, in every version) took a quote that I’d pasted in from a .PDF and sprinkled it with magical invisible ^L characters, which are not legitimate in RSS. I found them with a serious editor and got rid of them, now RSS works again.

Who writes Linux?

Posted on 2014-02-01 by Charlie

The IEEE published some pretty graphs drawn from the Linux Foundation’s yearly analysis of linux code contributions.

Regex Crossword Puzzles

Posted on 2014-01-29 by Charlie

Apparently regular expression crossword puzzles are a thing.

This one looks fun.

skipping and hopping robots

Posted on 2014-01-17 by Charlie

Jason Kottke put up a video from SIGGRAPH Asia 2013 that shows virtual robots evolving effective gaits. Once the model has been designed, the computer flails around (like a human baby flailing around in a bassinet) until it finds a way to make the model walk optimally.

What I found most interesting was the development of a suboptimal “skipping” behavior (right at the 5:00 mark, in “outtakes”), and an optimal hopping gait in models with the kind of leg structures found in kangaroos, potoroos, pademelons and the tammar wallaby.

A moment of extreme computer geekery

Posted on 2014-01-08 by Charlie

Almost certainly of no interest to anyone.. well, maybe DNS experts who have occasional need of perl. Net::DNS::RR::CNAME->set_rrsort_func is pretty incredibly obscure, though.


#!/usr/bin/perl -w -T -W
#
#  DNS zone transfer and output CNAMEs sorted by target host
#  Charlie Brooks 2014-01-08

use Net::DNS;
use Net::DNS qw(rrsort);  # why don't I get this automatically?

my @domains=qw/typinganimal.net egbt.org hell.com/;

# Use system defaults from resolv.conf to find nameservers
my $res  = Net::DNS::Resolver->new;

foreach my $namespace (@domains) {

# do a zone transfer, loading resource records into array
# axfr is standard (BIND style) not djbdns style
Regular use of these herbal viagra without prescription downtownsault.org pills also increases sperm motility and count, so it is very important to ditch cigarettes. Sexual activity unadvised: If your doctor has advised you to refrain from sexual activity due to increased blood circulation in the penile tissues.  canadian viagra pills You will find herbal supplements, herbal vitamins, herbal weight loss pills, as well as herbal pop over to these guys purchase cialis online. Basically, men feel the erectile dysfunction in time of love making.  cialis price   my @zone = $res->axfr($namespace);

# Red Hat's perl-Net-DNS-0.59-3.el5 package doesn't seem
# to have a useable rrsort for CNAMES (it tries to do a
# "<=>" flying saucer instead of "cmp") and the examples
# in the doco for custom sort methods flat out don't work
# but I flailed around until I found a way to do it.  It's
# weirdly simple if you stumble upon the magic incantation.

# dumping the CNAMEs sorted by target requires custom sort function
  Net::DNS::RR::CNAME->set_rrsort_func ('cnamet',
             sub {($a,$b)=($Net::DNS::a,$Net::DNS::b);
                  $a->{'cname'} cmp $b->{'cname'}});

  foreach my $cname (rrsort("CNAME","cnamet",@zone)) {
    $cname->print;
  }
}
exit;

Turing pardoned

Posted on 2013-12-24 by Charlie

Alan Turing was a brilliant British code-breaker in World War II and probably responsible for saving (at least) thousands of lives. He and his colleagues made a huge contribution to the eventual defeat of the Axis powers, and to modern computer science and cryptography. But because Turing was a homosexual, the British Government rewarded this service with vicious persecution – including so-called “chemical castration” – that eventually drove him to suicide.

Human rights campaigner Peter Tatchell has said: “I pay tribute to the government for ensuring Alan Turing has a royal pardon at last but I do think it’s very wrong that other men convicted of exactly the same offence are not even being given an apology, let alone a royal pardon.”

A very tiny apocalypse

Posted on 2013-12-19 by Charlie

Oracle’s finally going to make good on their threat to stop allowing unsigned Java code to run from web browsers.

This may wreak great havoc in the world of lame web-launched java-based applications. Such as those infesting governments, hospitals and large corporations who aren’t savvy enough to use LAMP for their web development.

Good software will not be in any way impacted by this event.

I rarely see that requirement in job postings.

Posted on 2013-12-18 by Charlie

* Ability to ignore existing machine learning and associated algorithms, and concomitant ability to develop new algorithms to solve novel AI problems
* Appreciation of the art and science of coding
* Evidence of creative achievement in one or more field
* Evidence of cultivation of “jamais vu” and independence from the zeitgeist.
* Understanding of game theory or evidence of advanced ability in a particular game (may be substituted by deep knowledge of current developments in philosophy, political discourse, or other field that combines linear and intuitive thought)

Typing Animal

this is the blog part

Category Archives: code