VMware ESXi 4.0: Create Virtual Machine Error Caused by NSF File on Western Digital MyBook WE
Such an awkward title, I know. It's just hard to encapsulate the following error message into a blog post title:
Create virtual machine 172.16.1.129 Error caused by file /vmfs/volumes/0-cb8d2a5-20-f15722/win-2k8.vmdk
Basically, I'm taking ghetto to the next level by using my Dell Optiplex 745 workstation as an ESXi 4.0 server, and using a Western Digital MyBook World Edition as an NFS server which will store the VM images. The MyBook is actually very cool; it's a quiet, visually appealing mirrored 1TB NAS. After manually enabling the NFS server, I was able to mount the shares in VMware but was unable to write to it. Attempting to create a VM would error out with the following in the messages log:
Hostd: [2010-01-22 19:45:36.384 5AA03B90 verbose 'ha-host'] ModeMgr::Begin: op = normal, current = normal, count = 0
Hostd: [2010-01-22 19:45:36.385 5AA03B90 info 'ha-eventmgr'] Event 18 : Creating win2k8 on host whateves.lan in ha-datacenter
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'HostsvcPlugin'] CreateEntry '64'
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'ResourcePool ha-root-pool'] Added child 64 to pool
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'Vmsvc'] Create VM initiated [64]: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: [2010-01-22 19:45:36.387 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory with _file = [N7Vmacore6System8FileImplE:0x5af0ae58]
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory for /vmfs/volumes/0cb8d2a5-20f15722/win2k8
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'.
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as superuser) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.390 5AA03B90 warning 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create failed with given spec: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: (vim.vm.ConfigSpec) { dynamicType = <unset>, changeVersion = <unset>, name = "win2k8", version = "vmx-07", uuid = <unset>, instanceUuid = <unset>, npivWorldWideNameType = <unset>, npivDesiredNodeW
wns = <unset>, npivDesiredPortWwns = <unset>, npivTemporaryDisabled = <unset>, npivOnNonRdmDisks = <unset>, npivWorldWideNameOp = <unset>, locationId = <unset>, guestId = "winLonghorn64Guest", alternateGuestName = "Microsoft Wi
ndows Server 2008 (64-bit)", annotation = <unset>, files = (vim.vm.FileInfo) { dynamicType = <unset>, vmPathName = "[VMs]", snapshotDirectory = "[VMs]", suspendDirectory = <unset>, logDirectory = <unset>, },
tools = (vim.vm.ToolsConfigInfo) { dynamicType = <unset>, toolsVersion = <unset>, afterPowerOn = true, afterResume = true, beforeGuestStandby = true, beforeGuestShutdown = true, beforeGuestReboot = true,
toolsUpgradePolicy = <unset>, pendingCustomization = <unset>, syncTimeWithHost = <unset>, }, flags = (vim.vm.FlagInfo) null, consolePreferences = (
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Exception thrown vim.fault.FileFault
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'TaskManager'] Task Completed : haTask-ha-folder-vm-vim.Folder.createVm-172 Status error
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'ha-host'] ModeMgr::End: op = normal, current = normal, count = 1
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] RemoveFromAutoStart
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Request spec is (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefaults) null, powerInfo
= (vim.host.AutoStartManager.AutoPowerInfo) [ (vim.host.AutoStartManager.AutoPowerInfo) { dynamicType = <unset>, key = 'vim.VirtualMachine:64', startOrder = -1, startDelay = -1, waitForHeartbeat = "n
o", startAction = "none", stopDelay = -1, stopAction = "none", } ], }
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Updated AutoStart sequence.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Autostart info after reconfiguration: (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefault
s) { dynamicType = <unset>, enabled = <unset>, startDelay = 120, stopDelay = 120, waitForHeartbeat = false, stopAction = "PowerOff", }, }
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Vmsvc'] Released Vm Id: 64.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry '64'
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry succeeded
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'ResourcePool ha-root-pool'] Removed child 64 from pool
Hostd: [2010-01-22 19:45:36.392 5A9C2B90 verbose 'App'] Looking up object with name = "64" failed.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create worker thread failed
Hostd: [2010-01-22 19:45:36.393 5AA03B90 verbose 'Statssvc'] EntityRemovedListener: Deleting stats for entity 64
Hostd: [2010-01-22 19:45:36.565 5AA44B90 verbose 'DvsTracker'] FetchDVPortgroups: added 0 items
Hostd: [2010-01-22 19:45:41.690 5AA03B90 verbose 'App'] Looking up object with name = "haTask-ha-host-vim.host.DatastoreSystem.removeDatastore-114" failed.
After searching the 'nets for about an hour, I found a post on MyBook World that addressed my issue. By default the MyBook mounts NFS shares as read-only. To change that, I modified the /etc/exports file, changing all instances of "ro" to "rw."
/nfs/Public *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
/nfs/Download *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
Then, I restarted the service by issuing /etc/init.d/S80nfsd restart. Once the restart was complete, my VM creation was successful 
OpenWRT: iptables-based Firewall Rules for PPTP and IPsec
Just a handy little reference for myself.
#Internal PPTP Server
vpnserver="172.16.1.10"
iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
iptables -A pptp -p gre --dst $vpnserver -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i $WAN -p tcp --dport 1723 -j DNAT --to $vpnserver
iptables -t nat -A pptp -i $WAN -p 47 -j DNAT --to $vpnserver
iptables -t nat -A PREROUTING -j pptp
### Gateway Router-based IPSEC VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPTSetting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS
After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn't get it to actually work until tonight.
Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.
The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.
Setting up a tunnel is actually easier than I expected -- I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here's what my network looks like:
| OpenWRT (LFT) | RV082 (ATX) | |
| External IP | 24.0.175.222 | 4.2.2.2 |
| External Gateway | 24.0.175.221 | 4.2.2.1 |
| Internal IP | 172.16.1.1 | 172.16.0.1 |
| Internal Subnet | 172.16.1.0 | 172.16.0.0 |
| Internal Subnet Mask | 255.255.255.0 | 255.255.255.0 |
File 1: /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="none"
klipsdebug="none"
nat_traversal=no
interfaces=%defaultroute
# Add connections here
conn LFT-to-ATX
authby=secret
keyexchange=ike
ikelifetime=480m
keylife=60m
pfs=yes
left=24.0.175.222
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.1
leftnexthop=24.0.175.221
right=4.2.2.2
rightsubnet=172.16.0.0/24
rightnexthop=4.2.2.1
auto=start
dpddelay=10
dpdtimeout=30
dpdaction=hold
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
File 2: /etc/ipsec.secrets
: PSK "mybigolsecret"
I appended the following on file 3: /etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | ipsec0 |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | vlan1 |
| 172.16.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | br0 |
| 172.16.0.0 | 24.0.175.221 | 255.255.255.0 | UG | 0 | 0 | 0 | ipsec0 |
| 0.0.0.0 | 24.0.175.221 | 0.0.0.0 | UG | 0 | 0 | 0 | vlan1 |
As for the configuration on the RV082 side, it looks like this:
Click
The RV082's routing table looks like so:
| Destination IP Address | Subnet Mask | Default Gateway | Hop Count | Interface |
| 4.2.2.0 | 255.255.255.248 | * | 40 | ixp1 |
| 4.2.2.0 | 255.255.255.248 | * | 45 | ipsec0 |
| 172.16.1.0 | 255.255.255.0 | 4.2.2.1 | 10 | ipsec0 |
| 172.16.0.0 | 255.255.255.0 | * | 50 | ixp0 |
| default | 0.0.0.0 | 4.2.2.1 | 40 | ixp1 |
And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe's fab post fills in much of that if you need it.
Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)
Recently, I used my Windows-based domain's Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast -- especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:
ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................
...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********Next, I used the key to create a certificate signing request
ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:postmaster@netnerds.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----I then opened up my domain's CA @ http://windowsCA/certsrv and went to
- Request a certificate
Or, submit an advanced certificate request. - Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Saved Request:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----Certificate Template: Web Server
Note: Be sure to decline when prompted by the browser to install the certificate locally.
I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.
openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.keyNext, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:
SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.keyFinally, I restarted the apache service and then partied to Wayne Toups.
Windows 7: Disable Unnecessary Services on a Domain Workstation
I finally took the plunge and installed Windows 7 on my Dell Netbook (Inspiron mini iM10-008B). I originally bought the Dell to make it into a Hackbook but after I realized how time-intensive the initial setup may be, I looked to installing Win 7 for instant newness gratification.
Initially, I was going to install the Enterprise version of Win 7 like I had done with Vista, but I decided on Ultimate since Ultimate is essentially the "Enterprise version for consumers" and I didn't have to have a local Key server around to validate my install.
The Netbook I purchased came with only 1GB RAM so it's especially important that I keep it running as efficiently as possible. I performed the basic tweak of setting Win 7 for Best Performance and then began checking out which services I could disable. I found Black Viper's Service Configurations page and used that as a guide to modifying my own services. His recommendations appeared more geared towards machines that are not on a domain, so my setup is a bit different from his. I have a Windows 2008-based domain and, while I know it offers a lot of Vista/7 specific features, I don't have time to explore them right all so my setup is geared towards a basic domain membership.
Ultimately, I was able to reduce initial memory usage to 480 MB. That's a lot, but better than the ~600MB or so used by default. There are 144 services that I reviewed, including the AVG firewall service. So without further ado...
Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache
Some things just belong on Linux. Like Subversion and Apache, for instance. I've seen the ghetto workarounds for Windows-based Apache installs and no thanks -- I'd much rather waste my time on ghetto SharePoint workarounds.
But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.
I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you'll run into a variety of pam and krb5 key issues.
Here are the following steps and tutorials I used to accomplish my goal of SSO
- Install and configure Likewise Open.
- Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.
- Setup Apache to support SSL
- Setup Apache to support Kerberos-based SSO
- My ktpass, for example, looks like this:
ktpass /out http.ktb /princ HTTP/ariel.corp.netnerds.net@CORP.NETNERDS.NET /pass SkiAlta2009 /mapuser corp\linuxweb
- My ktpass, for example, looks like this:
- Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
- yast -i yast2-metapackage-handler
- Add the subversion packages to the local repository.
- OCICLI http://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp
- Go into YaST and install the necessary subversion packages.
- Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
- Throw a party! Just turn up Pandora's Cajun station and DANCE.
I recommend using your domain's own Certificate Authority to generate the SSL cert that Apache will use. That way, users won't be prompted to accept an untrusted self-signed SSL certificate.
Have fun!
SuSE (SLES) 11 Works Flawlessly with Windows Server 2008 Authentication
Well that couldn't have been easier! Here's all it takes to authenticate SLES 11 to Windows Server 2008 based Active Directory. During the initial install of SLES, I performed the following:
- Selected samba-client and winbind during the software installer phase
- Added my domain's DNS servers to the intitial network config using NetworkManager
- Ensured I had the right DNS search suffix (the name of my domain: base.netnerds.net)
Surprisingly, I didn't even have to configure samba after my install was completed. I was prompted to join the domain during the initial OS install and everything went as expected. Here are the settings I used:
I logged in using the domain\username format and this too, worked as expected:
login as: base\chrissy
Using keyboard-interactive authentication.
Password:
Creating directory '/home/BASE/chrissy'.
Creating directory '/home/BASE/chrissy/bin'.
Creating directory '/home/BASE/chrissy/.fonts'.
Creating directory '/home/BASE/chrissy/.mozilla'.
BASE\chrissy@ariel:~> Next up, setting up NTLM pass-through authentication in Apache!
Update: If you plan to use Kerberos, I recommend you skip straight to using Likewise for all of your authentication needs. I had nothing but headaches from reported bugs with SuSe's built-in Samba and krb5/Kerberos.
New Network for the New Year
Now that my DL380 is stacked with a total of 10 gigs of ram, it's time to revamp my network. A majority of my servers are still in Silicon Valley (San Jose, specifically) at a fantastic colo company, Silicon Valley Web Hosting so in order to have as little downtime as possible, I'm going to temporarily push that one server to its limit and run a slimmed down virtualized network on it. Since I like my servers to be within driving distance, I'm choosing to migrate the network to Austin, TX (likely at onramp.) Granted Austin is a good 6 hours away, but colocation is much more affordable there than it is in Louisiana and any reason is a good enough reason to visit Austin.
All these new servers will require new names which is cool because the current names of my servers are a random hodgepodge of Cajun references like ROUX (the base for gumbo), BOUDIN (a delicious Cajun sausage) and BOUDREAUX (a famous Cajun last name). I'd like a little more order so I decided to get my theme together beforehand. That way, I don't have to invest time into thinking about names when I create new servers. As I was sitting in the parking lot at Acadian Food Mart in Duson, LA, I decided on the following theme: the names of small cities, towns and villages in Acadiana that are short and double as common first names or nicknames (omg I'm a nerd.) As I was documenting the list of potentials in an email to my business partner and best friend, Brandon, I figured why the hell not document them in Google Maps 
And so I did...
View Larger Map
So the list currently consists of Cade, Leroy, Mack, Katy, Effie, Ellis, Esther, Perry, Cecilia, Elba, Lucy, Henry, Ariel, Vick, Chloe, Lucas, Oliver, Scott, Milton, Jacoby, Brooks, Oscar, Louisa and Coon.
"Coon?" you may be asking yourself. Yes, I know two Coons, one Coonie and one T-Coon. All of whom got their nickname from the controversial epithet "coonass." So far, a few of the roles are: VMware Server, FSMO DC, Backup DC, SQL Server 2008, Backup SQL Server (Mirroring), IIS Web Server, Windows Dev Server, LAMP Server, and uhhh I'll come up with a few more once I get my other servers from SVWH. Did you know that Windows Server 2008 Enterprise edition allows 4 VM installs per physical license? Fortunately, I was able to obtain one of those bad boys at a conference last year and now I have pretty much more than enough Windows 2008 instances. Totally can't wait to try Core w/Powershell.
FIX: ‘Cannot Write Pam Settings’ when Joining a Windows Domain in SuSE 10.3
Today I attacked my 2008 technical to do list and setup a subversion server for backups/source control. It was actually pretty darn easy in SUSE 10.3. After I got it going, I wondered if I could have it automatically authenticate against my HOME domain. So, using SuSE's menu driven interface YaST, I easily added my Linux machine to my Windows domain.
Initially, YaST wasn't able to find or join the domain. This happens sometimes in Windows clients too when:
1. In TCP/IP, the DNS settings are pointed to servers outside of the domain
2. The fully qualified domain name (ex. corp.windomain.com) is not given when joining the domain
3. The FQDN is not listed as a DNS search suffix
After adjusting /etc/resolv.conf to reflect my fully qualified domain name, YaST made it surprisingly easy to find and join the domain. But right as it was finishing up, it ran into the error "cannot write pam settings." I looked around the web and saw about 2 other people had the same problem but no solution was offered. After poking around, I noticed that "pam-smb" was not installed. Generally, SuSE will automatically detect when rpms need to be added but in this case it didn't.
In order to get it all working, I added pam-smb, samba-winbind and krb5-client then I easily plugged into my Windows 2003 domain. Years ago, I tried to do something similar and it seemed to work but I was never able to login via SSH. I'm pretty sure I didn't prefix the domain (in proper case, at that) when attempting to login. Knowing that, I was successfully able to login to my Linux machine using a Windows domain login this time around.
login as: HOME\testuser
Using keyboard-interactive authentication.
Password: *****************
Creating directory '/home/HOME/testuser'.
Creating directory '/home/HOME/testuser/public_html'.
Creating directory '/home/HOME/testuser/bin'.
Creating directory '/home/HOME/testuser/Documents'.
Have a lot of fun...
HOME\testuser@subversion:~>Awesome! This is much easier than doing user mapping with NIS.
Fix Slow External DNS Resolution in Microsoft/Active Directory DNS Server
Aw yaille! I just wrote up a whole explanatory blog post then lost it so this one will likely be brief... or not.
Recently, we found that one of our DNS servers was resolving external hostnames unacceptably slow -- about 5 seconds, give or take. The resolution was so slow, in fact, that all of the clients hopped on to the secondary DNS server thinking that the primary had gone down. After logging on to the server to troubleshoot, I could see that:
1. Pinging external hostnames worked well after the hostname resolved. So did traceroute.
2. Caching wasn't working at all
2. Other AD DNS servers on the network were resolving external hostnames quickly
3. The root servers were all there but I deleted and reloaded them anyway
- Note: you can actually load root servers from a root server which is cool
4. Internal hostname resolution was extremely fast
5. A reboot didn't help (you may laugh but this has solved severe AD problems for me)
Because the other AD Servers were picking up the slack, I decided to come back to it later. I went out and had dinner with a friend then returned after a few hours. Upon logging back on to the Internets, an old network admin friend messaged me. I told him what I was seeing and he said he had the exact same issue a few months back. After a few minutes of trying to recall the solution, he asked "Have you checked your forwarders?" I'd glanced at them but went back to check again. And there it was.. an entry to a machine we'd recently taken down (long story..). I knew the moment I saw the IP that it was the problem. I removed the entry and noticed the forwarded query timeout was equal to *drumroll* 5 seconds.
Finding that solution was impossible on the Internet because of the super general terms: Slow DNS Resolution External Active Directory. Nothing really worked for me so hopefully this post will help others in the future.
Update: A colleague of mine mentioned spyware interfering with proper DNS functionality resulting in intermittent resolution problems. So that's something you may want to check with a netstat -bn which shows you what programs are using which ports. DNS uses UDP port 53.
About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Categories
What's Your Job Title?
Loading ...
information
wants to be free
