Monthly Archive for September, 2004

Walking into unknown territory

Published
by
Ian Dexter
on 29 September 2004
in Work
. Comments

I have immersed myself today in docs about BGP, which is what we need to implement multihoming on our network.

A few notes:

  1. We need an AS number. We’ll probably have to get this from Preginet.
  2. We need a routable IP address block, or two same-sized address block from AFRDIS and Preginet.
  3. I need a router simulator to test my network design, and not frag things up.
  4. I need a book on BGP. The docs available on the net are just too overwhelming, and I wouldn’t know where to start.
  5. I’d probably have to consult with Preginet, and beyond that, with PLDT Datanet people.

Tighter!

Published
by
Ian Dexter
on 28 September 2004
in Work
. Comments

Six days into the network reconfig, still no go with the AD-Win98
authentication timeouts. I’ve also began to look at other authentication
schemes that lock Windows to the desktop only, not on the server side.

One promising scheme is pGINA, or Pluggable Graphical
Identification and Authentication, an add-on for the standard MS GINA
DLL. GINA is part of winlogon.exe, and is loaded at the
early part of the boot process.

The plan is to have pGINA as the authentication front-end for LDAP,
from which users can authenticate for services such as network logins,
web access, and webmail.

Another cool toy is NetReg, which requires users to register their
hardware (NIC MAC addresses) before gaining full network access in a
DHCP-enabled environment. Again, LDAP will be used to authenticate valid
users.

I’m hoping to work this out using my VMWare environment, once I get
Slackware to work here. Nice prospects ahead.

I’ve also installed TightVNC on the DC so that the sysads can get
to it remotely. Great toy, this one.

TACACS+, dial-in, LDAP, among others

Published
by
Ian Dexter
on 27 September 2004
in Work
. Comments

Last Friday, the Boss asked me to disable TACACS+ on Maui so
authentication will just be on the 2500. I was a bit nervous because I
wasn’t really that comfortable with IOS just yet, and I’d hate to mess
around with the router configs with only a very basic understanding of
how it works. But there’s always a first time for everything, so off I went.

I just appended “no” to all lines that I wanted to
disable in the config, crossed my fingers, did a Ctrl-Z and
write“. Phew! Easy does it.

I’ve also managed to get the Perl CGI script for proxy user
management on Jabber to work. Thank goodness for open source, I was
actually able to tweak the code and study it a bit further.

Here’s my plan: I’m going to study Perl, and what better way to
start off than having a project. And I do have one: that of Orso’s
admuser.cgi. Nothing much to change there, but my plan is
to make it work across multiple servers, and include a few nifty
features like last user login, group management, etc. Pretty tall order,
but I’ll get there. After that, I can add Perl to my list of skills. Cool.

Still having problems with LDAP. I haven’t ferreted out the
authentication issue with AD. Okay, so I can do anonymous
ldapsearch on the AD, but authenticated queries are no
dice. Once I get that down pat, I will be able to transfer proxy
authentication to LDAP, and later on, email accounts will be
authenticated that way. Single sign-on, here I come.


Ian Dexter R. Marquez
Information and Communication Technology Division
Philippine Rice Research Institute
Central Experiment Station, Maligaya 3119
Science City of Munoz PHILIPPINES
Trunk: +63 (44) 456 0258, 0277, 0285, 0426, 0653
Voice: ext.232 | Fax: ext.233

In my end is my beginning.
– Mary Stuart, Queen of Scots

Network configuration, day four

Published
by
Ian Dexter
on 24 September 2004
in Work
. Comments

I’m beginning to suspect the problem lies with the W2K3 ADS.

We’re still getting intermittent authentication failures from W98
hosts, and we can’t change passwords even from WXP clients. I’m too lazy
to sniff out the packets going to and from ligaya, and
besides, I wouldn’t know where to look if it bites me in the nose.

I’ve tried searching the AD through ldapsearch.
Anonymous ldapsearch can query the directory, but when it
comes to authenticated queries, it’s a no go.

Google has lots of links for me, and I’ve exhausted each one. I’m
itching to post in some mailing lists, but I’m still restraining myself
until I can get *at least* a fix on what’s really happening. Besides, it
could be a W2K3 issue, and from what I have read in the local MS forums,
I doubt if they are any help. So back to dipping my nose on the docs.

Also: I wonder why using the automatic proxy configuration script
works for Mozilla and Firefox (a derivative of Mozilla), and not for IE.
Another MS quirk? I’ve managed to create a workaround, though: edit the
registry, hard-code the proxy configuration there.

Here’s what I did. I created a text file, proxy.reg
containing the following:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
“ProxyEnable”=dword:00000001
“ProxyServer”=”xxx.xxx.xxx.xxx:xxx”
“ProxyOverride”=”.foo;.bar;.baz;”

I saved it in a public share on the server, created a login script
that invokes

regedit /s \\path\to\public\share\proxy.reg

and have it executed every time a user logs in. Should work. I hope.

109582520648871745

Published
by
Ian Dexter
on 22 September 2004
in Work
. Comments

Network reconfig, day one

I’m starting to really, really hate Microsoft. I mean, I didn’t use to, because I’m one of those who have to live in an MS environment. But now that we’re starting to have problems using Active Directory service and Windows networking, I’m getting this itchy feeling to bash Gates.

We’re currently on an W2K3 AD environment. Joining WXP is a breeze; it was just a matter of changing a few parameters in the hosts. W98 is another matter. We’ve been experiencing inconsistent success and failure joining W98 hosts to the AD domain. One moment, the user can authenticate, he/she’d be blocked the next.

I’m beginning to suspect that this is a feature, not a bug, in W2K3, since W98 is not really meant for networking, after all.

Oh, well. These are just some of the things one has to contend with when one uses — or is it the other way around: one is being used by — Windows.

No, this isn’t MS-bashing time, just the plain truth about how difficult it is to live in an MS-dominated world.

Well, there’s always GNU/Linux and OSS…