— pissing into the wind

I posted this on the freenas forums..

Here’s a short write-up on how I got SSL going with LDAPS against AD for authentication. I used the plugin and am working out of / in the jail.
keytool is located at /usr/pbi/subsonic-amd64/bin
1) Create a cnf file to be used for generating the csr.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Texas
localityName = Locality Name (eg, city)
localityName_default = San Antonio
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Department
commonName = Common Name (hostname)
commonName_default = subsonic
commonName_max = 64
emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[email protected]_names
DNS.1 = subsonic
DNS.2 = subsonic.domain.com
IP.1 =

2) Generate the csr and private key

openssl req -new -sha256 -out subsonic.csr -config subsonic.cnf -newkey rsa:2048 -nodes -keyout subsonic.key

3) Submit the CSR to your CA. I used a Windows CA and received the subsonic.cer certificate.
4) Generate a PKCS12 file to be used for the Web SSL Java Keystore. I could not get this working using the sytem keystore, so this one is just for https.

openssl pkcs12 -export -out subsonic.pfx -inkey subsonic.key -in subsonic.cer -certfile CA-Certificate.cer

5) Create the Java Keystore to be used for SSL access.

./keytool -importkeystore -srckeystore subsonic.pfx -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic.domain.com

6) Add your CA certificate to the system Java Keystore as well. This will be used for LDAPS authentication. The default password is ‘changeit’ You should probably change that as well.

./keytool -import -trustcacerts -alias CA-domain.com -file /CA-Certificate.cer -keystore /usr/pbi/subsonic-amd64/openjdk7/jre/lib/security/cacerts

7) Enable LDAP Authentcation under Settings\Advanced

LDAP URL: ldaps://server.domain.com:636/dc=domain,dc=com
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=groups,dc=domain,dc=com)))
LDAP Manager: DOMAIN\user (non privileged!)

8) The default user cache is too high. Edit it in /var/db/subsonic/jetty/4427/webapp/WEB-INF/classes/ehcache.xml

<cache name="userCache"

Read More

This is a copy/paste from https://forums.he.net/index.php?topic=3194.0.  I’m keeping it here in case that post ever disappears and I need a reference.

This isn’t something people do often, so I figured I would add a post about it (mostly so I can Google it myself in a few years…)
To configure Dynamic DNS (DDNS) updates on your NetScreen/SSG device (may vary slightly between revisions/models):
NOTE: You might also require PING/ICMP Echo Request to be enabled on WAN interface…
By default, DDNS uses HTTPS to connect to update server. You must add the CA certificate that signed the server’s certificate.  For tunnelbroker, connect tohttps://ipv4.tunnelbroker.net/nic/update – you don’t need to login so click cancel if prompted. To display the certificate click (or double-click) on the "padlock" next to "https" in the address bar.
– in Chrome, click "Connection" then "Certificate details"
– in IE, click the padlock then "View certificates" – (IE seems to have issues saving certificates to a file…)
Select the "Certification Path" tab
Double-click the entry immediately above(currently "Starfield Secure Certificate Authority – G2") the default/bottom one (e.g. tunnelbroker.net)
Select "Details" tab
Select "Copy to file"
Next / Base-64 / Browse – pick somewhere you can find it and a name you can remember, e.g. "starfield-2.cer"
Now, go to Web-UI on NS/SSG
Navigate to Objects – Certificates
Select "File: Choose File"
Find the cert you saved previously, OK
Select "Load"
Adding Certificates via CLI:
Not recommended as it requires storing the cert file on a tftp server, but read about it here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4777
The NS/SSG can now validate the certificate when it connects to update server!
Next, gather your tunnel information.
From https://tunnelbroker.net/ find your tunnel entry
e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
copy this hostname somewhere you can find it
Click on the tunnel entry
Click on the Advanced tab
Copy your Update Key somewhere you can find it
Now, the actual DDNS part….
Option #1: Web-UI
In NS/SSG Web-UI, navigate to Network / DNS / DDNS
Take note of any existing entries as you will be prompted for an ID number that is not currently in use…
Select "New"
Enter an unused ID number (1 is fine if you have no existing entries)
Set server type to "dyndns"
Set server name to "ipv4.tunnelbroker.net"
Defaults for update intervals should be fine
Leave "Clear text" unchecked – that is why we added the cert!
Enter your account name in "Username"
Enter your "Update Key" in Password
Leave Agent blank – it will auto-populate with your OS version, unless you want to put something else here
Bind to Interface – Select your WAN/untrust interface your tunnel is on
For "Hostname", enter your tunnel name – e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
For Service, leave default of "dyndns"
Select OK!
Option #2: CLI:
get dns ddns  – take note of any existing entries as they must each have a unique ID number
set dns ddns id X server "ipv4.tunnelbroker.net"server-type dyndns
set dns ddns id X username USERNAME password UPDATEKEY
set dns ddns id X src-interface ethernet0/0 host-name username-1.tunnel.tserv3.xxx1.ipv6.he.net
set dns ddns enable
To view status:
-> get dns ddns
status: enable  usage: 1/8
id type   state server          username   interface  nextupdate   lastresp
1 dyndns     1 ipv4.tunnelbrok username   eth0/0     6d;23:24:00  nochg
To view detailed status:
-> get dns ddns id X
Id:                     1
State:                  Init
Socket:                 -1
Type:                   dyndns
Server:                 ipv4.tunnelbroker.net
Clear-text:             no
Refresh-int:            7 days 0 hours 0 minutes 0 seconds
Min-update-int:         1 hours 0 minutes 0 seconds
Next-update:            6 days 23 hours 24 minutes 0 seconds
Username:               username
Password:               **********
Agent:                  Netscreen-6.X-00000
Src-interface:          ethernet0/0
Host-name:              username-1.tunnel.tserv3.xxx1.ipv6.he.net (dyndns)
Last-response:          nochg
Last-Updated:           before 36 minutes 8 seconds
Successful updates:     3
Failed updates:         0
Server lookup failures: 5
Socket creation errors: 0
Socket connect errors:  3
Socket send errors:     0
Update retries:         0
To debug / troubleshoot:
From CLI:
Cancel debugging / clear buffer:
-> undebug all   (or press <ESC>)
-> clear dbuf
Enable DDNS debugs:
-> debug dns ddns
View dbuf:
-> get dbuf stream
Errors that show DNS is working:
ddns: server ipv4.tunnelbroker.net resolved to
Errors that show SSL issue:
DDNS: connect error
socket creation failed
Successful update:
ddns: server ipv4.tunnelbroker.net resolved to
GET /nic/update?system=dyndns&hostname=username-1.tunnel.tserv3.xxx1.ipv6.he.net&myip=XXX.XXX.XXX.XXX&wildcard=OFF&mx=mail.exchanger.ext&backmx=NO&offline=NO HTTP/1.0
Accept: text/html;*.*;
Host: ipv4.tunnelbroker.net
ddns: succesfully updated DYNDNS server
The "nochg" means the updated IP matches the existing one, so "no change".
Don’t forget to cancel debugging with "undebug all" or pressing "<ESC>"

Read More

The antivirus server at work was pissing me off and saturating our OC3.  I policed it down to 50mbps.

ip access-list extended traffic-police
permit ip host any

class-map traffic-police
match access-group name traffic-police

policy-map traffic-police
    class traffic-police
        police 50000000 conform-action transmit exceed-action drop

int po1/0
service-policy output traffic-police

Read More

ip wccp version 2
ip access-list standard WCCP_Proxies
10 permit host
20 permit host

ip access-list extended WCCP_Redirect
10 deny ip host any
20 deny ip host any
30 permit ip any

ip wccp 0 group-list WCCP_Proxies redirect-list WCCP_Redirect

int vlan 10
ip wccp 0 redirect in

Read More

After I installed Exchange 2013 and tried to access either OWA or ECP on it, I kept getting Error 500.  Looking at the httpproxy logs, I saw this: The unhandled exception was: System.Security.Cryptography.CryptographicException: Invalid provider type specified.

Turns out Exchange doesn’t like the key provider, Microsoft Software Key Storage Provider, so you have to reissue a cert using Microsoft RSA SChannel Cryptographic Provider as the provider.

I did this by going through the web cert enrollment and using the Web Server template.  Then I assigned the new certificate to the SSL sites in IIS.

The solution is over here.

Read More

it never fails, it never fails… or rather it always seems to fail:  exchange service packs or rollups.  I’ve had to fix quote a few at work and in my home lab.  one thing that I’ve come across multiple times for exchange 2010 is to run a powershell script that automagically fixes the issue.  this post has it right:

Typical, i spend ages looking about with no joy but as soon as i post i find a solution!
For anyone else with the same issue;
"After you install update rollup 1,2 or 3 on an Exchange 2010 Client Access Server you often get a blank OWA page when browsing to the OWA page.
After installing the rollup updates you will receive something like the following URL;https://mail.msexchangeblog.nl/owa/auth/logon.aspx?url=https://mail.msexchangeblog.nl/owa/&reason=0 .
To fix this issue you must start updatecas.ps1 in the Exchange Management Shell. You can find the script in C:\Program Files\Microsoft\Exchange Server\V14\Bin . The script updatecas.ps1 will handle the OWA and ECP updates. The updatecas script comes with the update rollup."

That’s it.

Read More

… My dad changed ISPs and took the SSG5 I gave him offline.  I had to disable the VPN on my side because it was spamming the logs.  If I ever need to re-enable it, all I need to do is bind it to tunnel.1 and re-enable monitor, optimized, and rekey.

Read More

So that servers get only one ipv6 address…

C:\Users\administrator.GUAMMIE>netsh int ipv6 sh int

Idx     Met         MTU          State                Name
—  ———-  ———-  ————  —————————
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
10          50        1280  disconnected  isatap.{1C882B80-03D8-4F3C-B703-6A1DC1768F6B}
11          50        1280  disconnected  Teredo Tunneling Pseudo-Interface
14           5        1500  connected     Local Area Connection 4

C:\Users\administrator.GUAMMIE>netsh int ipv6 sh int 14

Interface Local Area Connection 4 Parameters
IfLuid                             : ethernet_9
IfIndex                            : 14
State                              : connected
Metric                             : 5
Link MTU                           : 1500 bytes
Reachable Time                     : 27000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : disabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

netsh interface ipv6 set interface 14 forwarding=disabled routerdiscovery=disabled managedaddress=disabled

Read More

i’m currently working on a wireless deployment with a requirement to use mac filtering.  There are over 600 laptops being deployed to a unique location per laptop.  Part of the imaging process doesan ipconfig and dumps the output to a text file which I can then use to copy/paste the hostname and mac into the Cisco 8510 wireless controller.  I’m lazy, so I made a bash script to parse the ipconfig text files. I wish I knew how to do this in Windows, but I work with what I got. The script takes this input from a text file:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : GU0123LT01
   Primary Dns Suffix  . . . . . . . : guammie.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : guammie.com

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Ralink RT5390R 802.11b/g/n 1×1 Wi-Fi Adapter
   Physical Address. . . . . . . . . : B8-76-3F-25-34-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : B4-B5-2F-8D-BF-2B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

And generates this command line that I can just copy/paste into the controller:

config macfilter add B8:76:3F:25:34:4D 18 guunit-clients "unit 0123 laptop"

Here’s the script.  It’s not the cleanest, but it works:

for f in $FILES
  # take action on each file. $f store current file name
  hostname="$(awk ‘/Host Name/ {c=1}c–>0’ $f | sed -n ‘/\<Host Name\>/ s/.*[[:space:]]\([[:alnum:]]\+\)$/\1/p’ | awk ‘{print substr($0,3,4)}’)"
  mac="$(awk ‘/Ralink RT5390R/ {c=1;next}c–>0’ $f | awk -F ‘Physical Address. . . . . . . . . : ‘ ‘{print $2}’ | sed ‘s/\-/\:/g’)"

echo "config macfilter add $mac 18 guunit-clients \"unit $hostname laptop\""


That’s it.

Read More

1)  Get the latest PBIS Open Edition from BeyondTrust (formerly Likewise): http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

2)  chmod 755 the file, execute it, then install it.

chmod 755 pbis-open-


cd pbis-open-


3)  Join the domain

sudo domainjoin-cli join guammie.com administrator

4)  Add domain group to sudoers

sudo visudo

%GUAMMIE\\domain^admins ALL=(ALL) ALL

5)  Make domain logins use Bash (or whatever shell you want), refresh lss, and clear ad cache

sudo /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]’ LoginShellTemplate /bin/bash
sudo /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]’ LoginShellTemplate /bin/bash
sudo /opt/likewise/bin/lwsm refresh lsass
sudo /opt/likewise/bin/lw-ad-cache –delete-all

That’s it.

Read More

I’ve watched a few episodes of Hell’s Kitchen in my day and one thing that always got to me was how those poor schmucks just let Gordon Ramsey rail into them.  I always thought, “Have some goddamned respect for yourselves, people!”  Then I got this job.  After turning 16, I can’t recall the last time someone I know yelled at me in sheer anger.  But it seems to keep happening here.  Crisis after fucking crisis.  So I’ve decided to have some goddamn respect for myself and am convinced that no retirement package (that I can get anyway since I don’t go for C-level positions) is worth the level of stress and humiliation I’m getting here.  So off I go and back to the space in between.

Read More

My wife is due April 13!  It’s a girl and I’m excited.  I’ll post more later.  I’m really just making sure I’ve setup my blog client correctly on my new badass (I’m going to reread this post in 3 years and laugh at these specs) Core i7 3770K, 16GB desktop!  No Windows 8 though.  I tried it and it’s not for me.  I didn’t realize how much I use the Start menu until it was gone.  I suppose I could just learn more keyboard shortcuts… w/e.

Read More