Comments for Michael Kuron's Blog

Comment on Asterisk: Compile SRTP Module without recompiling Asterisk by Michael Kuron

Michael Kuron — Thu, 02 Feb 2012 05:24:39 +0000

1.8.8.0 still contains it, seems like this is a regression bug. You should file this as a bug against “AsteriskNOW and Packages” at https://issues.asterisk.org/jira. Bugs ANOW-137 and ASTERISK-18738 look like they’re related, but I have not been able to identify the specific change. The Squeeze package is still at 1.8.8.0 and contains res_srtp, but the Lucid package is already at the version you mentioned.

Comment on Asterisk: Compile SRTP Module without recompiling Asterisk by Stephane B.

Stephane B. — Wed, 01 Feb 2012 19:34:52 +0000

It seems they did it again with version 1.8.9.0 for ubuntu/debian.

I had to redo your trick

(This time res_srtp.c is in the code, but is not compiled or included in packages from digium… WTF ?)

Comment on Patching DSDT in recent Linux kernels without recompiling by Veer

Veer — Sat, 28 Jan 2012 23:22:59 +0000

Hello,

I am getting error “Non-ascii input file – DSDT.dsl” while recompiling the DSDT.dsl.

Comment on Patching DSDT in recent Linux kernels without recompiling by Veer

Veer — Sat, 28 Jan 2012 23:12:58 +0000

Hello Michael Kuron,

Additional information if it will help the DSDT is located in /sys/firmware/acpi/tables/ instead of cat /proc/acpi.

Thanks.

Comment on Patching DSDT in recent Linux kernels without recompiling by Michael Kuron

Michael Kuron — Sat, 28 Jan 2012 22:55:57 +0000

I believe 1.99 is already grub2, I'm running 1.98 and that's definitely grub2. Grub 1 lacks essential features, most notably the acpi command itself, so that wouldn't work. Other than what I wrote previously, there's nothing I can suggest (it should just work), so you're on your own there. If you find out what's causing the issue, please do post it. A good starting point would be to add an echo line to the script and see whether that gets output when running update-grub2. Also, please make sure that your recompiled DSDT is at /boot/dsdt.aml (case-sensitive), as that is where the script looks.

Comment on Patching DSDT in recent Linux kernels without recompiling by Veer

Veer — Sat, 28 Jan 2012 22:50:04 +0000

Hello Michael Kuron,

I apologize for the misinformation. I am using grub 1.99. Is it possible to fix the issue?

Comment on Patching DSDT in recent Linux kernels without recompiling by Veer

Veer — Sat, 28 Jan 2012 22:43:59 +0000

Hello,

Thank you very much for your promptly reply. I have removed the extension and changed the permission as you mentioned. However the update grub is not showing found acpi table. Should I try once again?

Comment on Patching DSDT in recent Linux kernels without recompiling by Michael Kuron

Michael Kuron — Sat, 28 Jan 2012 22:29:18 +0000

Is that grub2? Did you remove the .txt extension and then chmod +x it? If you did everything correctly, you’ll get a line saying that it found an ACPI table when you run update-grub2 to rebuild the grub config.

Comment on Patching DSDT in recent Linux kernels without recompiling by Veer

Veer — Sat, 28 Jan 2012 22:24:40 +0000

Hello Michael Kuron ,

I have added the file 01_acpi.txt in to /etc/grub.d after changing the permission as you mentioned.
Then I have edited the file DSDT.dsl as per the instruction of techinterplay.com. And recompiled the dsdt.dsl using the command iasl -tc dsdt.dsl. Finally I updated the grub. Unfortunately the battery meter is not showing up on my LinuxMint. Could you please assist me to resolve the issue?

Comment on Using Intel AMT’s VNC server by Intel V-pro techology

Intel V-pro techology — Fri, 27 Jan 2012 13:17:58 +0000

[...] which are very useful if you ever lock yourself out while remotely connected to the server. (Source) Reply With [...]

Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon

Charles Tryon — Thu, 26 Jan 2012 22:21:12 +0000

This is my version of the update script. Note that I have moved things to a directory only accessible by "dhcpd" user on the dhcp (Linux) server.


#!/bin/bash

## CONFIGURATION ##
realm=BBAGGINS.NET
principal=dhcpduser@$realm
keytab=/etc/dhcpd/dhcpduser.keytab
domain=bbaggins.net
ns=samba.bbaggins.net

export KRB5CCNAME="/etc/dhcpd/dhcp-dyndns.cc"

# keytab can be generated using the Samba4 tool:
#   samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab --principal=dhcpduser

## VARIABLES ##
action=$1
ip=$2
name=$(echo $3 | awk -F '.' '{print $1}')
mac=$4

usage()
{
	echo "USAGE:"
	echo $0 add 192.0.2.123 testhost 00:11:22:33:44:55
	echo $0 add 192.168.0.127 "" 00:11:22:44:33:55
	echo $0 delete 192.0.2.123 testhost 00:11:22:33:44:55
	echo $0 delete 192.0.2.127 "" 00:11:22:44:33:55
}

if [ "$ip" = "" ]; then
	echo "IP missing"
	usage
	exit 101
fi
if [ "$name" = "" ]; then
	name=$(echo $ip | awk -F '.' '{print "dhcp-"$1"-"$2"-"$3"-"$4}')

	if [ "$action" = "delete" ]; then
		name=$(host $ip | awk '{print $5}' | awk -F '.' '{print $1}')

		echo $name | grep NXDOMAIN 2>$1 >/dev/null
		if [ "$?" = "0" ]; then
			exit 0;
		fi
	fi
fi

ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')

## KERBEROS ##
klist 2>&1 | grep $realm | grep '/' > /dev/null
if [ "$?" = 1 ]; then
	expiration=0
else
	expiration=$(klist | grep $realm | grep '/' | awk -F ' ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
fi

now=$(date +%s)
if [ "$now" -ge "$expiration" ]; then
	echo "Getting new ticket, old one expired $expiration, now is $now"
	kinit -F -k -t $keytab $principal
fi

## NSUPDATE ##
case "$action" in
add)
	echo "Setting $name.$domain to $ip on $ns ($ptr)"

	oldname=$(host $ip $ns | grep "domain name pointer" | awk '{print $5}' | awk -F '.' '{print $1}')
	if [ "$oldname" = "" ]; then
		oldname=$name
	elif [ "$oldname" = "$name" ]; then
		oldname=$name
	else
		echo "Also deleting $oldname A record"
	fi

	nsupdate -g \<\



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Thu, 26 Jan 2012 22:05:27 +0000
Please do add it. Once both of you get it working properly, I’m going to clean up the comments a bit and maybe update the post with the solutions.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Thu, 26 Jan 2012 22:01:25 +0000
(Does anyone actually want me to post my slightly modified scripts here?  It seems like a lot of content, and I’m not sure how much it will add.)



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Wed, 25 Jan 2012 18:59:52 +0000
@Charles, Good point: Records created by Windows clients themselves are owned by their computer account, records created by the DHCP server running my script are owned by the account it uses. Only the owner and (I assume) DnsAdmin members have permission to modify DNS records.

I believe Microsoft has a solution that works the other way round (allow Windows clients to reclaim records owned by the DHCP server) that works by adding the DHCP server user to the DnsUpdateProxy group. However, that obviously won’t solve the problem you’re running into. You could use Group Policy to force the Windows clients not to update their DNS records themselves though.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Wed, 25 Jan 2012 18:54:53 +0000
I just loaded the DNS tools under the Remote Server Admin pack on my Windows7 client.  Looking at the security settings for my domain, members of the DnsAdmins group should have sufficient permissions.
One odd thing is that, DHCP now updates the A and PTR records.  For the Windows machines though, I see in the system logs that THEY are trying to update their own records.  Are those getting denied because I manually entered them (or, dhcpduser added them), so now the machines themselves don’t have permissions to change them???



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 25 Jan 2012 17:12:39 +0000
I created a user DDNS1, assigned it to the DNS Admins and gave it explicit rights to update the DNS Server and still it wouldnt work – i get tickets but then TSIG verify failures – I will look into the version of BIND.
Cheers
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Wed, 25 Jan 2012 15:17:12 +0000
As I said, I’m running a plain W2k8R2 with AD, AD-integrated DNS and nothing else. Must be your your BIND/nsupdate version then (9.7.3 works fine for me)? Or did you modify any of the DNS permissions from their defaults?



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 25 Jan 2012 15:11:33 +0000
Hi

I too get a ticket from krbtgt and a ticket from DNS but then it all falls in a heap with a TSIG failure (I have tried mapping the DNS service to the user with no success) One thing I have noticed is that Charles said he isnt using an AD; my DNS server is a W2K8 R2 integrated DNS Service – will this make a difference?
regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Wed, 25 Jan 2012 15:01:55 +0000
I’m running 1.8.3 because that’s what Debian Squeeze offers (I prefer stability, security and long-term updates over bleeding edge features). However, I just compiled 1.9.1 from source and it works just fine too. FYI, klist-ing the ticket cache reveals a krbtgt for the realm and a DNS ticket for the DNS server.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 25 Jan 2012 14:39:57 +0000
Hi
As I said I am using krb5-workstation-1.9.1-14 – is this the version you guys are using (should I upgrade)?
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Tue, 24 Jan 2012 17:06:36 +0000
The dhcpduser must at least be a member of the DnsAdmins group.  It is not necessary to update existing records, but required if you are adding a NEW DNS “A” record.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Tue, 24 Jan 2012 16:59:01 +0000
Interesting…
I always hate it when I do something to fix a problem, but when I un-do my fix, it doesn’t break the problem again…    I’m never sure if my fix was what caused the problem to go away or not.  I removed the dhcpduser from the various administrative groups, and it’s still working….
Second observation may be more related to DNS policy.  I’m getting a denied update, but I realized that it is trying to remove an A record with a different name.  I have a network printer that is trying to remove my manually created record and replace it with its own name.  This is being denied.  I suspect that I will need to manually remove my record, replace it with the name the device calls itself, and then create a CNAME with my preferred alias.
I also have a strange situation where it says that the update succeeded, but then it says it failed.  Maybe an error in the return code on the script??
Jan 24 11:51:16 samba dhcpd[19306]: Commit: IP: 192.168.2.145 Mac: 0:40:f4:2a:6c:85 Name: rivendell

Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[0] = /etc/dhcpd/dhcp-dyndns.sh

Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[1] = add

Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[2] = 192.168.2.145

Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[3] = rivendell

Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[4] = 0:40:f4:2a:6c:85

Jan 24 11:51:16 samba dhcpd[19306]: Getting new ticket, old one expired 1327423666, now is 1327423876

Jan 24 11:51:16 samba dhcpd[19306]: Setting rivendell.bbaggins.net to 192.168.2.145 on samba.bbaggins.net

Jan 24 11:51:16 samba named[7220]: samba_dlz: starting transaction on zone bbaggins.net

Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0

Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0

Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0

Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: deleting rrset at ‘rivendell.bbaggins.net’ A

Jan 24 11:51:16 samba named[7220]: samba_dlz: subtracted rdataset rivendell.bbaggins.net ‘rivendell.bbaggins.net.#0113600#011IN#011A#011192.168.2.145′

Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: deleting rrset at ‘rivendell.bbaggins.net’ A

Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: adding an RR at ‘rivendell.bbaggins.net’ A

Jan 24 11:51:16 samba named[7220]: samba_dlz: cancelling transaction on zone bbaggins.net

Jan 24 11:51:16 samba dhcpd[19306]: update failed: SERVFAIL

Jan 24 11:51:16 samba dhcpd[19306]: update failed: NOTAUTH

Jan 24 11:51:16 samba dhcpd[19306]: DHCP-DNS Update failed: 22

Jan 24 11:51:17 samba logger: DHCP-DNS Update failed: 22

Jan 24 11:51:17 samba dhcpd: execute: /etc/dhcpd/dhcp-dyndns.sh exit status 5632

Jan 24 11:51:17 samba dhcpd[19306]: execute: /etc/dhcpd/dhcp-dyndns.sh exit status 5632

Jan 24 11:51:17 samba dhcpd: DHCPREQUEST for 192.168.2.145 from 00:40:f4:2a:6c:85 (rivendell) via eth0

Jan 24 11:51:17 samba dhcpd[19306]: DHCPREQUEST for 192.168.2.145 from 00:40:f4:2a:6c:85 (rivendell) via eth0

Jan 24 11:51:17 samba dhcpd: DHCPACK on 192.168.2.145 to 00:40:f4:2a:6c:85 (rivendell) via eth0

Jan 24 11:51:17 samba dhcpd[19306]: DHCPACK on 192.168.2.145 to 00:40:f4:2a:6c:85 (rivendell) via eth0



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Tue, 24 Jan 2012 16:29:58 +0000
@Charles: For DNS zone permissions, use DNS Admin on Windows, right-click the zone and click the Security tab (assuming Samba4 even implements this). On Windows 2k8R2 Server, by default “Authenticated Users” have permission to “Create child objects”, a.k.a. add records. On the record level, the owner (i.e. the creator, in our case dhcpduser) of a record also “Full Control” permissions, i.e. may edit and delete the record.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Tue, 24 Jan 2012 16:15:42 +0000
I’m planning on uploading my version of the script here in a little bit after I’ve tested a couple more tweaks.
One thing to remember is that I’m not actually dealing with a Windows AD server, though the documented method for managing the Samba4 server is to use the Windows AD tools.  I didn’t do any special configuration on my Samba instance, or on the named.conf other than the additions suggested by the Samba4 HOWTO.
I did use the samba-tool to create the dhcpduser and add that user into the administrative groups.  I added into the DnsUpdateProxy (that didn’t work by itself), the DnsAdmins and Domain Admins groups.  It’s the last one the makes me nervous, and which I want to try to eliminate if possible.  I don’t know how to check the permissions on the zone in the DNS admin, but that’s definitely something to look into.
The Samba-tool command had to be executed as root, which created a file only readable by root.  Since dhcpd runs as the user “dhcpd”, I changed the ownership so that process could read it.
    sudo /usr/local/samba/bin/samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab –principal=dhcpduser
(One interesting note – this command will append to the file if it’s already there rather than overwrite it.  Not sure what complications that might create…)
I’m still getting two blocks of messages in the /var/log/messages file — one from the script using the kerberos key, and one from what looks like the old method.  The kerberos key succeeds, and the second one fails.  I’m looking at the dhcpd.conf file to see if I can turn off the second (broken) update method.
(UPDATE:  I’m now getting “denied” messages in the var/log/messages, so I’m investigating….  :-/ )



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Tue, 24 Jan 2012 12:25:03 +0000
@Charles – could you tell me what syntax you used for the samba-tool please?
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Tue, 24 Jan 2012 10:35:46 +0000
No. As I said, I don’t even have winbind installed and no full Bind either, just the utilities package with dig, host, nslookup, nsupdate.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Tue, 24 Jan 2012 10:19:31 +0000
version is krb5-workstation-1.9.1-14-fc15 (x86-64)
as I asked Charles, do I need to do any Samba config work or BIND config work?
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Tue, 24 Jan 2012 08:45:48 +0000
Kerberos 5 is the protocol version, 1.9.2 is the version number of MIT’s Kerberos 5 implementation. If you built it from source, check the name of the tarball you downloaded. If you installed from Fedora’s package manager, it shoul tell you there. If I remember correctly, there’s no simple kinit –version that would tell you.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Tue, 24 Jan 2012 08:37:57 +0000
@Michael & Charles
Congrats Charles, with regards to your setup, did you do any Samba config work, any BIND work? – I cannot get this to work on my system. 
Michael, how do I get the version number (I thought it was Kerberos 5 but you have me worried now).



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 23 Jan 2012 22:13:24 +0000
Congratulations on finally getting it to work.
In my setup (with a plain W2k8R2), dhcpduser is simply a normal domain user. No admin, not even a DNS admin. Did you take a look at the Permissions on the zone in DNS Admin on your Windows server and did you change anything from the Windows defaults previously?
Yes, dhcpd runs as root on Debian, which is why the script makes that assumption (I never moved the stuff out of /root), but as you did, that’s easy to fix.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Mon, 23 Jan 2012 22:05:48 +0000
I was able to finally generate a valid keytab, this time using the samba4 “samba-tool” utility.  I was able to get the updates to work between dhcp and dns, but in order to get permissions, I had to add the “dhcpduser” to the Domain Admins group, which makes me REALLY nervous.  Is this really necessary?
The way the script was originally written, it seems like the dhcpd process is assumed to be running as “root” (access to the “/root” directory).  I changed this to run everything out of a new directory called “/etc/dhcpd”, which is owned by the user and group dhcpd:dhcpd.  This will at least keep other users from seeing the cache and keytab files.
(Now that I’ve got something working, I’m going to do some more testing with dialing back permissions and such.)



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 23 Jan 2012 15:48:31 +0000
Which version? 1.9.2?



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 23 Jan 2012 15:48:07 +0000
sorry MIT not Heimdal



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 23 Jan 2012 15:38:37 +0000
Can you be more specific about Kerberos? Heimdal or MIT? Which version?



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 23 Jan 2012 15:34:18 +0000
Linux distro: Fedora 15

nsupdate : 9.8.1

kerberos 5



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 23 Jan 2012 14:41:17 +0000
It’s not even a DNS admin, just a plain domain user. I just created it manually in AD Users and Computers and specified a random password, then used ktutil on my Linux box to write the keytab.
What Linux distro and which versions of Bind/nsupdate and Kerberos are you running?



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 23 Jan 2012 14:31:25 +0000
@Michael, I presume the user is a member of DNS Admins? 
This is driving me nuts – i have an ordinary user who is part of DNS Admins – I have assigned specific righst to that user – i have even tried using setspn and mapping the DNS service to that user – nothing works.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 23 Jan 2012 13:56:18 +0000
@Bill: No, it’s a plain standard Windows user.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 23 Jan 2012 13:54:19 +0000
@Charles if this is a Windows user then I recommend using ktpass on Windows but be careful – if you dont specify the password, ktpass writes a random password into the account.
@Michael, with regards to your user in your windows system, did you do anything other than create the user in windows i.e. did you run setspn and map dns to that user?
regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Thu, 19 Jan 2012 21:56:25 +0000
@Michael: Very clear: the keytab doesn’t contain that user’s password.

Right.  I went through the ktutil steps listed above to create the keytab (ktutil -> addent -password … -> wkt …).  I used the same password as when I created the user.  What am I missing???
? sudo klist -k dhcpduser.keytab

Keytab name: WRFILE:dhcpduser.keytab

KVNO Principal

—- ————————————————————————–

   1 dhcpduser@BBAGGINS.NET
(Also, I am assuming that it creates the cache file when you first successfully get the key.)



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Thu, 19 Jan 2012 20:43:13 +0000
@Charles:

kinit: Permission denied while getting initial credentials

It fails at the very first step.

kinit: Key table entry not found while getting initial credentials

Very clear: the keytab doesn’t contain that user’s password.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Thu, 19 Jan 2012 20:32:31 +0000
This is what I get  from the /var/log/messages file:
Jan 19 15:31:10 samba dhcpd[21605]: Commit: IP: 192.168.2.108 Mac: 0:18:f8:b7:e9:41 Name: merry

Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[0] = /etc/dhcpd/dhcp-dyndns.sh

Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[1] = add

Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[2] = 192.168.2.108

Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[3] = merry

Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[4] = 0:18:f8:b7:e9:41

Jan 19 15:31:11 samba dhcpd[21605]: Getting new ticket, old one expired 0, now is 1327005071

Jan 19 15:31:11 samba dhcpd[21605]: kinit: Permission denied while getting initial credentials

Jan 19 15:31:11 samba dhcpd[21605]: Setting merry.bbaggins.net to 192.168.2.108 on samba.bbaggins.net

Jan 19 15:31:11 samba dhcpd[21605]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Bad format in credentials cache.

Jan 19 15:31:11 samba dhcpd[21605]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Bad format in credentials cache.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Thu, 19 Jan 2012 20:16:16 +0000
I made sure that the dhcpduser user was added to the domain with the proper password, and recreated the keytab as root, using the same principal name and password.  I’m still getting the same error from kinit

    ? kinit -F -k -t /etc/dhcpd/dhcpduser.keytab dhcpduser@BBAGGINS.NET

    kinit: Key table entry not found while getting initial credentials
One thing to note is that I’m using the Kerberos and DC from the Samba4 project.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Thu, 19 Jan 2012 07:59:09 +0000
@Michael

The syntax is used for ktpass was -princ w2k8dc/bill.dhcptest.com@dhcptest.com – cryto all – mapuser bill 
looking around, I have the feeling that this is wrong – what do you think?
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 18 Jan 2012 12:12:40 +0000
@Michael, checked and double checked and smbclient  prompts me for a password then connects – its only smbclient -k that doesnt work.

BTW I get no messages in the event log when smbclient fails!



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Wed, 18 Jan 2012 11:43:18 +0000
@Bill: Is the user for whom the Kerberos ticket was obtained even allowed to access that share? That’s what the error seems to suggest.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 18 Jan 2012 11:41:59 +0000
@Michael – this gets stranger – if i use smbclient , i am prompted for the password for bill and then it connects fine. If I use -k option then i get a tree connect failed: NT_STATUS_ACCESS_DENIED message.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Wed, 18 Jan 2012 10:46:52 +0000
@Bill: Take a look at your Windows Server’s logs. Sorry, with the information I have there’s really not much else I can suggest.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Wed, 18 Jan 2012 10:44:55 +0000
@Michael

using smbclient -k I am getting the message NT_STATUS_ACCESS_DENIED – the domain has a user bill, i have generateda keytab file that is forwardable; i can use kinit ‘user’ and get a ticket and the share has bill as a user – what am i doing wrong!!!
@charles – if you are going to generate the keytab file in windows be careful – do not use the -pass * option as this seems to write a random password into the windows database.
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Tue, 17 Jan 2012 22:11:36 +0000
@Charles:

Yup, this needs to be an existing domain user. I don’t know whether ktutil itself verifies the credentials, but it definitely needs to exist when you try to kinit with it.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Tue, 17 Jan 2012 22:09:04 +0000
@Bill:

In my testing, smbclient -k used whatever krbtgt ticket I had previously obtained. Also, I did all of this as root and it didn’t matter at all.

What version of kerberos are you using? And is it MIT or Heimdal? I don’t really know enough about the inner workings of Windows authentication or Kerberos to debug this kind of issue. It appears to be lying at a deeper level.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Charles Tryon
Charles Tryon — Tue, 17 Jan 2012 22:07:52 +0000
I believe I am having trouble creating a correct keytab file.

Does the dhcpuser need to be a valid user in the domain already, with a known password?  If so, is this the password you enter for the ktutil addent command?

    ktutil:  addent -password -p dhcpduser@BBAGGINS.NET -k 1 -e aes256-cts-hmac-sha1-96

    Password for dhcpduser@BBAGGINS.NET:

    ktutil:  wkt dhcpduser.keytab

    ktutil:  quit
when I try to do the kinit command, I’m getting the error:

    # kinit -F -k -t ./dhcpduser.keytab dhcpduser@BBAGGINS.NET

    kinit: Key table entry not found while getting initial credentials



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Tue, 17 Jan 2012 10:18:23 +0000
Ok
Heres what I think is the problem (and solution):
1) I am currently signed on as user bill trying to use a ticket for user ddns1.
2) Windows thinks I am trying to connect as bill when I try to connect to the share (detailed previously). So either smbclient -k is being overridden or I must be signed on as user ddns1 to use the ticket.
3) DHCPD runs as root so i am guessing that the user in windows with privileges to update dns must be ‘root’
Can you verify the above points or correct me please?
Regards
Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 16 Jan 2012 17:18:03 +0000
Ok, then there’s your problem. Check your Windows server’s event log and try to find out why smbclient logon fails. Also, you could try recreating the keytab for ddns1 with ktutil as described in my blog post, but as kinit appears to work, I don’t think that’ll make a difference.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 16 Jan 2012 17:07:14 +0000
Hi
Yes I tried that and got the following in the ticket file (as dictated by the variable KRB5CCNAME):
Ticket cache: FILE:/tmp/dhcp.dyndns.cc

Default principal: W2K8DC/ddns1.DHCPTEST.COM@DHCPTEST.COM
Valid starting     Expires            Service principal

01/16/12 10:30:34  01/16/12 20:30:35  krbtgt/DHCPTEST.COM@DHCPTEST.COM

	renew until 01/17/12 10:30:34

01/16/12 10:43:32  01/16/12 20:30:35  cifs/W2K8DC.DHCPTEST.COM@DHCPTEST.COM

	renew until 01/17/12 10:30:34

01/16/12 10:43:32  01/16/12 20:30:35  cifs/W2K8DC.DHCPTEST.COM@DHCPTEST.COM

	renew until 01/17/12 10:30:34

01/16/12 10:56:05  01/16/12 20:30:35  DNS/w2k8dc.DHCPTEST.COM@DHCPTEST.COM

	renew until 01/17/12 10:30:34

01/16/12 11:11:51  01/16/12 20:30:35  DNS/w2k8dc.dhcptest.com@DHCPTEST.COM

	renew until 01/17/12 10:30:34
Note that ddns1 is the user I created in Windows.
I tried a connection to a share on the Windows server and got a 
smbclient -k //192.168.0.1/test

session setup failed: NT_STATUS_LOGON_FAILURE
Regards

Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 16 Jan 2012 16:47:18 +0000
No, my DHCP server doesn’t even have winbind installed and thus is not joined to the AD domain.

Did you try kinit -t /path/to/keytab followed by a klist and does it show the ticket? Before moving on, make sure that Kerberos is indeed working properly. Also, try the other things I mentioned in my previous comment.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 16 Jan 2012 16:43:35 +0000
Hi
Ignore previous message (I solved the zone problem) but I am now getting the message
TSIG error with server: tsig verify failure
The only thing I have done differently to you is that I generated the keytab file in windows then copied it to linux – would this cause a problem.
btw is your dhcp server a member of your windows domain?
Regards

Bill



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 16 Jan 2012 10:35:04 +0000
Hi
Thanks for the help (sorry it has taken so long to get back to you). I am now getting an error ‘could not find enclosing zone’ – any ideas?
Regards
Bill



Comment on iOS 4.1: Undocumented VPN API, used by Cisco AnyConnect by Michael Kuron
Michael Kuron — Tue, 10 Jan 2012 06:19:02 +0000
@Giovanni: Cisco AnyConnect, Juniper SSL and F5 SSL can be selected in the IPCU. As these are the only apps currently available that use the VPN API, Custom SSL seems somewhat useless at this time. Perhaps Apple originally intended to open up the API to more 3rd parties.



Comment on Extending Active Directory for Mac OS X clients by RM CC4 & Apple Mac
RM CC4 & Apple Mac — Mon, 09 Jan 2012 22:44:24 +0000
[...]  [...]



Comment on iOS 4.1: Undocumented VPN API, used by Cisco AnyConnect by Giovanni Bajo
Giovanni Bajo — Mon, 09 Jan 2012 22:29:09 +0000
I believe the custom SSL option in the configuration profile exists so that you can create profiles for a custom VPN using the undocumented API. So for instance, if you create a profile for Cisco AnyConnect, you select Custom SSL and use “com.cisco.anyconnect” as identifier. You can then add some key/value  custom parameters that are interpreted by the app itself.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 09 Jan 2012 21:43:32 +0000
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
This points kinit, klist, nsupdate, ... at the correct credential cache.
kinit -F -k -t $keytab $principal
This obtains the ticket and stores it in the keytab mentioned above.
So for testing, execute the script, then do export KRB5CCNAME="/tmp/dhcp-dyndns.cc" and then do klist. Do you see the ticket? Now do smbclient -k //server/share (or use some other kerberized service) to see whether the ticket works properly.

You must have somehow installed nsupdate (which comes with Bind) and Kerberos. If you installed them using your Linux distribution's package manager, I assume you'd find it there somewhere. On my Debian Squeeze machine, dpkg --list | grep 'krb\|bind' reveals bind9 at version 9.7.3 and krb5-user and libkrb5-3 at version MIT 1.8.3.


Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 09 Jan 2012 19:18:37 +0000
Hi

Thanks very much for the offer of help – really needed.
I have a user in my Windows Domain called DDNS1.

I have generated a Kerberos ticket for this user.

If I try to use nsupdate from the command line, it fails with the error I mentioned.
My questions are:

1) How do I get the version of nsupdate.

2) How does nsupdate know what credentials to use for the updates.

3) Where are the kerberos tickets stored i.e. do I need to point nsupdate at that store and, if so, how do I do this
Cheers



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Mon, 09 Jan 2012 17:33:56 +0000
Could be anything, you need to be a bit more specific there. What version of the Kerberos library and nsupdate/bind are you running? Does Kerberos work in general (test it using e.g. smbclient)? Do you get anything more specific when running nsupdate with -vvvd (verbose+debug)?

If you provide some more details, I’ll see whether I can help.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 09 Jan 2012 16:00:20 +0000
Michael
I need some help please – the script is failing. When I run nsupdate from the command line, I am getting the error TSIG error with server: tsig verify failure
Any help appreciated



Comment on Patching DSDT in recent Linux kernels without recompiling by ido
ido — Tue, 20 Dec 2011 04:43:20 +0000
Thanks for the post. Combined with the post in techinterplay.com, now I don’t have to endure “the torturing 2 hours” of recompiling anymore just to have the battery indicator light up in my desktop.
By the way, I wonder what is the real function of -e in the first line of 01_acpi files ?



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Mon, 19 Dec 2011 16:56:28 +0000
Hi

Thanks for the response – it turns out that I can only use part of the script but I will cite the source anyway. One of the biggest problems I ran into was that klist was returning $? = 1 no matter what parameters I used – turns out that SELinux prevents non-interactive shells read access to /tmp so I couldnt read the cache file.



Comment on Extending Active Directory for Mac OS X clients by Michael Kuron
Michael Kuron — Mon, 12 Dec 2011 11:58:36 +0000
Short answer: none.

Long answer: saves you buying another server and maintaining separate directories that might get inconsistent etc. Also, I’m pretty sure extending the schema will be the much easier choice if you’re running a big directory replicated across dozens of servers.



Comment on Extending Active Directory for Mac OS X clients by Dima
Dima — Mon, 12 Dec 2011 11:19:09 +0000
what is the benifit of extending the active directory schema for mac over having dual directories ?



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by GH
GH — Sat, 03 Dec 2011 06:25:22 +0000
Would anyone be willing to post VMWare 4.1, or send it to me directly? I’m so bummed now that their website refuses to allow us to download the version that has the ‘bug’ that allows Snow Leopard client to function. Google cache was unhelpful (hoped that an old version was still hanging around)
I had jumped to buy 4.1 as soon as the news broke, but unfortunately the version that came in the box was 4.0, and I have been unable to get any version to work with Snow Leopard client, even after running MultImac Helper 4
TIA



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Wed, 30 Nov 2011 17:02:24 +0000
@mh: Did you try hiding the VMWare Tools virtual disc in /etc/fstab in the guest OS as described on http://hints.macworld.com/article.php?story=20060930150059172 ? I used that method for something else a few years ago and it worked. If you do want to update VMWare Tools some time, you’d need to manually mount the virtual disc using Disk Utility, but that’s probably preferable over having it automatically mounted on every boot.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Wed, 30 Nov 2011 16:57:46 +0000
You’re right: Software Update didn’t see the Safari 5.1.2 update with the ServerVersion.plist trick and EFI boot.
Via BIOS boot and SystemVersion.plist -only the Software Update was OK.
…but via BIOS boot the VMware Tools .iso is always mounts and the VMware Tools installation must always be cancelled.



Comment on Patching DSDT in recent Linux kernels without recompiling by Nicholas Hunsicker
Nicholas Hunsicker — Mon, 28 Nov 2011 21:57:46 +0000
Just wanted to say that I came over from the tech interplay page about fixing the toshiba battery issue as well, and I have this working now over here.  For those that are totally clueless about messing with /etc/grub.d you need to remember to run an update-grub2 afterward otherwise you’re not going to see any change.



Comment on Patching DSDT in recent Linux kernels without recompiling by Michael Kuron
Michael Kuron — Sun, 27 Nov 2011 07:35:29 +0000
@rod:

iasl -tc dsdt.dsl



Comment on Patching DSDT in recent Linux kernels without recompiling by rod
rod — Sat, 26 Nov 2011 22:14:19 +0000
Eric, I’m following your recomendation of using grub instead of recompiling kernel. The custom downloadable kernel does work, but it kills the 3d nvidia acceleration with the propietary drivers. My question is: in Patching DSDT post the man mention a DSDT.aml to add in grub… but the files after extracting, disassemby and reasembli are .dat .hex and .dsl.

¿How exactly do you use your custom DSDT in grub? I am missing the step that trasform to .aml

Thanks



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Sat, 26 Nov 2011 16:58:04 +0000
@mh: I never had the issue that VMWare Tools try to reinstall and fail. Usually, darwin.iso should unmount itself after the bootloader was loaded. I provided my VMX files in the blog post, so you could check if there are any differences.
I don’t recommend the ServerVersion.plist trick — as I said before, I’ve previously had trouble with installing updates. But your mileage may vary, so use whatever works for you.
For now, I’d recommend to stay on Fusion 4.1. The only difference between 4.1 and 4.1.1 is that they re-added the server version check.

The InsantelyMac.org patches supposedly also work (but I’m not sure whether they’ve been updated for Fusion 4.1.1).
I’m currently running Fusion 4.1 and probably staying with it for a while, so I won’t be able to test anything that involves messing with ServerVersion.plist, darwin.iso or vmware-vmx.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Sat, 26 Nov 2011 16:49:18 +0000
I tested how VMware 4.1.1 update handles Mac OS X 10.6 VM created under the more forgiving v4.1. (I bought a retail version of Mac OS X 10.6 although I already had Mac OS X 10.6 for Mac mini).
As expected, the boot now halted at an alert “The guest operating system is not Mac OS X Server. The virtual machine will power off.”
There seems to be at least two options to bypass that error:
A) Before upgrading from VMware 4.1 to 4.1.1, do this in the Terminal inside the VM:
sudo touch /System/Library/CoreServices/ServerVersion.plist
…to add an empty ServerVersion.plist file in that folder.
BTW, if you copy and rename SystemVersion.plist as ServerVersion.plist (i.e. with text inside), the VM boots into server mode via EFI and BIOS.
So it seems that an empty ServerVersion.plist might allow future Mac OS X updates to happen correctly, right?
B) If you don’t add that ServerVersion.plist file, you have to:
1. Apply MultiMac Helper 4.app which patches Fusion’s Mac OS X Server detection stuff to trick it into also allowing the non-Server versions.
(As is said elsewhere here, the helper modifies darwin.iso (OS X VMware tools and bootloader) and replaces all checks for ServerVersion.plist (only exists on Server versions) with SystemVersion.plist (exists on every system). VMware uses some signature checking, so you’ll need to re-sign all VMWare Tools ISOs with your own certificate, otherwise VMware will refuse to run).
2. You also need to remove the
firmware = “efi”
line from the VMX, or it will complain about the OS not being the server version during boot.
When booting an existing VM this way via BIOS, VMware connects darwin.iso to the VM, loads its special bootloader from there. There are some alerts you can bypass by answering OK to the 1st and whatever to the 2nd message:
> Your Mac OS guest is using this CD-ROM device. …Note that if no physical media is currently inserted, you can safely continue.: OK
> Your Mac OS guest is using this CD-ROM device…: OK or Cancel continues the boot.
…but then VMware always unsuccessfully and unnecessary tries to reinstall VMware tools so you must cancel it and unmount the VMware Tools. How can this be bypassed?



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Sat, 26 Nov 2011 10:44:28 +0000
> create a disk image selecting the DVD/CD device NOT the “Mac OS X Install DVD”, Image Format: DVD/CD Master.
Actually all Disk Utility Image Formats work the same here as long as you grab it from the device, so I’ve used the default “compressed” .dmg which is somewhat smaller. But if you need to modify the disk image, then pick the read-write .dmg or DVD/CD Master .cdr ( what is their difference BTW?).
Of course you can later convert the compressed image to read-write and vice versa with the Disk Utility.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Tue, 22 Nov 2011 17:03:54 +0000
I re-tried installing Mac OS X 10.6 from scratch and this time I experienced no VMware freezes. But maybe giving the VM more memory than the default 1 GB and more CPU cores would help during the installation??
Ragarding 64- vs 32-bit in my Mac mini (Early 2009) that can’t boot Mac OS X 10.6 in 64-bit mode without hacking the stock Apple EFI (on the other hand, it boots Mac OS X 10.7 by default in 64-bit mode just fine):
I installed also in 64-bit mode in VMware but nevertheless the Activity Monitor reports the kernel_task running only in “Intel” (i.e not Intel (64 bit) as most of the processes) and the System Profiler also reports “64-bit Kernel and Extensions: No”.
So it seems that the VM is running in 32-bit although VMware was told to install as 64-bit.
What do you see in other Macs (MacBooks have the same limitation regarding 64-bit boot in Mac OS X 10.6)??



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Tue, 22 Nov 2011 16:28:48 +0000
@John: Good point there regarding creating the disk image. My recommended procedure for pulling an image off a bootable DVD is dd if=/dev/disk1 of=disk.iso



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by John Stoll
John Stoll — Tue, 22 Nov 2011 15:44:56 +0000
I was able to create a Mac OS X 10.6 client using Fusion 4.1 from a disk image of a Snow Leopard installer DVD. I tried several times until I found what I had to do: create a disk image selecting the DVD/CD device NOT the “Mac OS X Install DVD”, Image Format: DVD/CD Master. Did not need any helper app, nor modify or patch any files.
Thanks to mh for pointing me in the right direction



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Mon, 21 Nov 2011 19:49:43 +0000
> The install DVD that came with your Mini will only install on a Mini.
This new .vmx option enables host model pass-through:
hw.model.reflectHost = “TRUE”
This will cause the VM to see the same model ID as the host.  The default for this option is FALSE.  Be aware that using this option may cause VM portability issues since the guest may now depend on this behavior and the type of the underlying Mac.
http://communities.vmware.com/message/1865986?tstart=0
One source said that these options should only be used to workaround issues when installing from hardware-specific DVDs, and should be removed from your .vmx file after the install has completed, and Mac OS in the VM has been updated to its latest version via Software Update.
I could now install from the Mac OS X 10.6.2 install DVD for Mac mini in VMware 4.1 with no other hacks besides the hw.model.reflectHost = “TRUE” line.
The install went otherwise OK, but at the very end of the install VMware freezed requiring a force quit as well at the very end of the Mac OS X account creating. But then it launches OK.
BTW, how do you edit the .vmx file? I Option-right-click the VM and choose Open Config File in Editor which opens TextWrangler.app in my setup. But TextWrangler by default tries to save the files as Western (Mac OS Roman); I have changed this to Unicode (UTF-8) because the files starts with .encoding = “UTF-8″ line.
On the other hand, VMware support pages suggest opening the VM package in the Finder, and editing the .vmx with TextEdit.app’s default settings.
Does VMware care which encoding or which kind of line breaks (the default seems to be UNIX LF) the .vmx file uses?



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Mon, 21 Nov 2011 16:04:38 +0000
Regarding 10.7 on VMWare: According to the macenterprise mailing list, 10.7.2 removes the driver for the SCSI adapter that VMWare emulates. Manually putting it back supposedly works: http://groups.google.com/group/macenterprise/msg/a1797aac6d620db1



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Mon, 21 Nov 2011 16:02:41 +0000
Today the news about VMWare Fusion 4.1 went through the blogosphere. Seems like people are having mixed success. My guess would be that simply because of the new popularity of OSX on Fusion more people are finding bugs.
@Dom: Safari/WebKit sounds like an odd cause for this. But if uninstalling it helped, great.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Dom
Dom — Mon, 21 Nov 2011 15:55:49 +0000
Sorted it out. The culprit on my system was a Safari prerelease. Downloaded the uninstaller, ran it and now all is back to normal.
@dfs: Rosetta is on the DVD AFAIK, alternatively SL will download and install Rosetta when the first ppc program is run.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by dfs
dfs — Mon, 21 Nov 2011 12:42:09 +0000
I’m experiencing a similar problem installing from a retail DVD of Snow Leopard. Goes fine until about 1/4 installed, then hangs a long time, then finally puts up a message “necessary files not found.” BTW. once SL is installed, how exactly does one add Rosetta (which is the whole point of the exercise)?



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Dom
Dom — Sun, 20 Nov 2011 23:56:46 +0000
I’m really baffled myself. I tried to make a clean install, getting rid of ANY trace of Fusion except my virtual machines. Still getting weird behavior. Mostly the existing VMs tend to crash and burn and are also horribly slow 

Giving up and moving back to 4.01  



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Sun, 20 Nov 2011 16:02:02 +0000
Not sure what the problem is there — it works perfectly fine for me (I have not done any extensive testing, but it feels the same as before). However I have not tried installing new VMs — all my VMs were created on Fusion 2.0 with the original MultiMac helper.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Dom
Dom — Sun, 20 Nov 2011 15:57:11 +0000
I wasn’t able to install either 10.5 or 10.6 with Fusion 4.1 (same as mh wrote) and my existing VMs for those that ran fine on Fusion 4.0x don’t run anymore (they ran once but were very unstable).

Any ideas what is up there?



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Sun, 20 Nov 2011 15:28:24 +0000
OK, VMware Fusion 4.1 should now allow users to virtualize also non-server retail versions Mac OS X 10.5 and 10.6
I tried several times to install retail version of Mac OS X 10.5 to my Mac mini (Early 2009) in 64- or 32-bit modes, but the Mac OS X installer always hangs half-way with no error messages.
Anyway, I just ordered the retail version of Mac OS X 10.6 from Apple Store (29 EUR) because I guess it won’t be much longer available from Apple (I already have the Mac OS X 10.6.2 installer DVD for Mac mini).



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Sat, 19 Nov 2011 17:01:24 +0000
> So I ended up installing my machine-specific disc on real hardware, pulling an image, and restoring that from a Leopard DVD booted in VMWare
Thanks for the tip! I successfully created Mac OS X 10.6 VM the following way (no hacks required with VMWare 4.1). Luckily I had some spare external disks to fiddle on. Sorry for the detailed post, but this serves also as a memo for me because I’m still a novice when it comes to VMWare.
1. I made a small 10 GB partition (9 GB would have been enough but I wanted to play it safe) and installed Mac OS X 10.6.2 on it from the Mac OS X 10.6.2 install DVD for Mac mini (Early 2009). I installed only essential system software and Rosetta (my goal is to switch to Mac OS X 10.7 while having access to old applications that need Rosetta).
2. I then booted to my main Mac OS X 10.6.8 disk and with Disk Utility made a read-only “Mac OS X 10.6.2 installation.dmg” from that small partition with Mac OS X 10.6.2 on it.
3. Then I switched to 10.7-only: I booted to my Mac OS X 10.7.2 disk, launched VMware Fusion 4.1 and used Mac OS X 10.7.1.dmg to install a Mac OS X 10.7 32-bit VM (Mac mini (Early 2009) can’t boot 64-bit Mac OS X 10.6 kernel without hacking the EFI, so I chose to use 32-bit Mac OS X 10.7 here).
4. I shut down the VMWare’s Mac OS X 10.7.1 installation and added another HD to it via Virtual Machine > Hard Disk (SCSI) Settings… > Add Device… > New Hard Disk > Add… > Apply. I launched the 10.7.1 VM and initialized the new HD with the Disk Utility via clicking the new device (the one without disks on it) > Erase (I named the new disk as “HD”).
5. Then I shared the Desktop folder of the host (“Mac OS X 10.6.2 installation.dmg” was on the host’s Desktop) via Virtual Machine > Sharing Settings… > Shared Folders: ON, add Desktop folder.
6. Then I launched the Disk Utility and clicked the new empty “HD” on the left > Restore > dragged the new empty “HD” from the left to the Restore’s Destination panel > Source: Image… > navigated to the “Mac OS X 10.6.2 installation.dmg” > Restore.
7. Now I essentially got a dual-boot VM so i could just use the Startup Disk control panel inside the VM to determine whether to boot from the 10.7 or 10.6 HD. To make a Mac OS X 10.6-only VM I did the following after shutting down the VM:
8. Create New VM > Continue without disk > Use an existing virtual disk > navigate to the 10.7 VM (by default it is at ~/Documents/Virtual Machines) and choose the (10.6′s) “Virtual Disk.vmdk” > Make a separate copy of the virtual disk > Choose > Continue > Opreating System: Apple Mac OS X, Version: Mac OS X 10.6 [32-bit] > Continue > Finish > Save. Then the Mac OS X 10.6.2 VM successfully booted!! The only glitch I’ve sofar noticed is that while the 10.6 VM boots up, the Apple wireless mouse gets briefly disconnected.
9. Now can optionally delete the 10.7 VM  or just the 10.6 HD in it.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Michael Kuron
Michael Kuron — Thu, 17 Nov 2011 18:49:59 +0000
Hi Bill,
I just updated my post with two changes I made a few days ago: one fixes an issue so that dhcpd doesn’t pause until nsupdate finishes, the other one makes sure that clients that don’t provide a hostname in their DHCP request are registered with an automatically-generated fallback name.

Also, I just noticed that the “nsupdate -g <
Other than that, I am not aware of any issues with my solution.
You can use the script for whatever you like (but if you publish it somewhere else, I expect that you cite the source).

Please do note that I accept no responsibility for the functionality, security or anything else related to the sample code, how-to guides, etc. on my blog. You’re entirely on your own if you use it in a production environment. I’m publishing this because it works for me, but your mileage may vary.
That being said, I’d appreciate if you could let me know how my script works out for you and if you find any bugs.



Comment on ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS by Bill Smith
Bill Smith — Thu, 17 Nov 2011 10:11:21 +0000
Hi Michael,
I am trying to get Linux DHCP to dynamically update Microsoft (2008 R2) DNS when the DNS Service is in Secure updates only mode. 
I was pointed in the direction of your script which would seem to do the job and I have to ask the following questions:
1) Did you encounter any further problems that you have either not yet resolved or have not published the resolution?
2) Can I use your script in a commercial environment please?
Regards
Bill



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael L.
Michael L. — Fri, 11 Nov 2011 16:50:31 +0000
Hello Michael,
My current environment is as follows:
OS X Lion 10.7.2

VMWare Fusion 3.1.3

    – OS X Snow Leopard Client (Retail Version)
The current setup works fine, however I purchased VMWare Fusion 4 to take advantage of the latest software upgrade.
In a short summary, I could not get VMWare Fusion 4 to boot Snow Leopard, subsequently I back out and reversed everything back to VMWare 3.1.3.
I have looked thru insanelymac.org in hoping to find specific instructions regarding the necessary steps for getting and preparing VMWare Fusion 4 to boot and ultimately migrate my Snow Leopard image to VMWare Fusion 4 friendly.
I had a strong feeling the solution is right in front of me once the fog is cleared, as I didn’t think rebuilding from scratch is necessary.
Thank you in advance.
Best regards,
Michael L.



Comment on Mount ext3 VMDK in VMWare Fusion using VMDKMounter by Michael Kuron
Michael Kuron — Mon, 07 Nov 2011 21:50:52 +0000
Make sure you have the latest version of osxfuse installed (and check the MacFUSE compatibility layer option while installing). If it still doesn’t work, uninstall osxfuse and try the last version of MacFUSE (which I believe only runs on 32-bit Snow Leopard).



Comment on Mount ext3 VMDK in VMWare Fusion using VMDKMounter by frage
frage — Mon, 07 Nov 2011 20:38:28 +0000
i get this error message when i try to open the vmdk by dopple-clicking.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by Michael Kuron
Michael Kuron — Mon, 07 Nov 2011 14:16:40 +0000
The install DVD that came with your Mini will only install on a Mini. You either need a retail DVD, or you might be able to modify the PKGs on the DVD to not perform the model check (I’m sure somebody has blogged about this somewhere).

In fact the situation is similar to what I described in my post on installing Tiger in VMWare: back then, the retail DVDs were PowerPC only. So I ended up installing my machine-specific disc on real hardware, pulling an image, and restoring that from a Leopard DVD booted in VMWare.



Comment on Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0 by mh
mh — Mon, 07 Nov 2011 11:27:15 +0000
I’m having trouble installing Mac OS X 10.6 in VMware.
My setup: VMware Fusion 4.0.2, Mac OS X 10.6.2 install DVD for Mac mini (Early 2009).
1. Apply MultiMac-Helper-4.app
2. Insert the Mac OS X 10.6 install DVD, launch Disk Utility, and create a disk image from it. Select the DVD/CD device (in my case PIONEER DVD-RW DVRTS08), NOT the “Mac OS X Install DVD” because the disk image made from the latter does not boot. Then choose File > New… > Disk Image from disk2… > Image Format: DVD/CD Master > Save, and wait for a while.
3. Mount the .cdr disk image by double clicking it, and in the Terminal create an empty ServerVersion.plist file:
touch “/Volumes/Mac OS X Install DVD/System/Library/CoreServices/ServerVersion.plist”
Then unmount the disk image.
4. Create a new VMware virtual machine: Create New > Continue without disk > choose the .cdr disk image, Operating system: Apple Mac OS X, Version: Mac OS X Server 10.6 64-bit or Mac OS X Server 10.6 [32-bit].
…my 64-bit CPU, 64-bit EFI Mac mini can’t boot Mac OS X 10.6 in 64-bit mode without hacking the stock Apple EFI (on the other hand, it boots Mac OS X 10.7 by default in 64-bit mode just fine).
…so I’m not sure whether I should configure VMware in 64- or 32-bit mode with Mac OS X 10.6 (with Mac OS X 10.7 64- and 32-bit both work OK). So I have always tried both 64- and 32-bit options.
The installer disk image now boots into the “Mac OS X Server”

language selection window. But when I choose continue, there is an alert “Mac OS X can’t be installed on this computer.”
Is it just that my Mac mini install DVD is missing something?



Comment on Mount ext3 VMDK in VMWare Fusion using VMDKMounter by Michael Kuron
Michael Kuron — Sun, 06 Nov 2011 21:49:28 +0000
When/where are you getting this error message? Make sure that you selected the MacFUSE compatibility layer when you installed osxfuse.



Comment on Mount ext3 VMDK in VMWare Fusion using VMDKMounter by frage
frage — Sun, 06 Nov 2011 20:24:01 +0000
i get this error msg:
MacFUSE ist nicht installiert.  -> in english: MacFUSE is not installed.
please help me…