Skip to content
accelerando

Monthly Archives: January 2008

I care.

31-Jan-08

Tante did it again and wrote a wity rant agains “CrApple”, read it here.

This post among a lots of other things that i recently experienced with OS X 10.5.x on my MacBook and my PPC iMac lead me to one conclusion: Just try it linux for the desktop once again. The last time i did it was around 2002, 2003… Not a too pleasant experience. In the meantime, thinks have changed, i guess and i myself do have some good knowledge with Debian Linux on multiple servers so why not try to bring this back to my office.

So, welcome my new desktop, which will hopefully be delivered by next week:

Dell Vostro 200

This Dell Vostro 200 comes with Vista Business… I won’t touch this but install a 2nd hardrive and opt for Debian/Lenny. I’m not under any time pressure, so i’ll try to fit the environment to my needs in every detail as possible. I you’re interested, i’ll keep posting about it.

A weird hotline call…

23-Jan-08

Yesterday I had a very strange telephone conversation, but for what its worth, a very kind and pleasant one.

Bloggers in Germany often write about devastating calls to phone, computer or software hotlines. About employees who give a shit about the actual problem. This post isn’t going to be one of them.

I called the Parallels hotline about a funny problem with my account. I really didn’t have such a nice conversation with a helpdesk in a long time. An interested employee who really wanted to help me. Kind of a relief not talking to someone who is randomly bored, not interested, plain stupid or in any other way distracted.

My problem itself is funny on one side and on the other hand a “don’t ever think about implementing a system that way”.

I really had a good password on the Parallels website, with some special chars and one very special char, a german umlaut, namely the “ü”. Never had a problem with this until they did redo their website and the backend. Suddenly i couldn’t log in anymore. Hm, my browser did safe the password, i remembered it correctly so what the hell is wrong? There was the usual “(i’m stupid and) forgot my password link”, so i clicked this and got my password delivered via email. Huh? There a still people saving passwords in plain text? After for example someone stole reddits database with lots of email addresses and plain text passwords? I felt relieve, that i mostly use different passwords on different accounts.

Please, people, the least thing you could do is to hash you passwords, just to prevent a casual hacker to take your users data away. And even a simple md5 hash would prevented my silly problem ahead. Go with sha or sha512 or the best you can do, salt and hash your password, crypt or bcrypt. Their are libraries for every major programming language available to do this, no need to reinvent the wheel.

Why could this saved me and Parallels a lot of problems? A simple md5 hash would have change the “ü” to some arbitrary character which for sure would fit into the ASCII alphabet and an upgrade to their website backend wouldn’t have the data in the user table mutilated. Thanks! I guess I’m the only international customer with German umlauts in his password.

The most funny thing about the conversation was dictating a funny German word to a native American English speaker and hearing her repeating it. She could look up my account and saw the letters… Trying to log in with them wasn’t possible, neither resetting the password… For that, i must be logged in. Haha.

I guess i could be pissed about the need to open a second account, but the conversation was fun. And in the end, Parallels Desktop is a great product and what the heck, someone messed up and they didn’t blame it on me like many German hotlines do. Furthermore, i was really happy, realising that my rusty school English is still not that rusted and that I’m still able to communicate some problems without much hassle.

But going back to the password problem: Please start writing serious authentication code, it’s not that hard. Thank you.

Edit: I must say, the Parallels support really rocks! They did manage to reset my account and they did read my emails the first time i wrote them and did not respond with some standard templates like many others do. I really appreciate this and this post isn’t in any way a rant against Parallels or their support team, but it is ranting against thoughtless database design.

Turning off x_send_file in development mode

23-Jan-08

I just discovered the great x_send_file plugin and technique and use it extensivly for daily fratze. I replaced the majority of send_file calls with x_send_file but not all (the in memory thingies i serve cannot be send through apache). This works great in production mode but in development mode, it fails as there is no apache sitting in front the mongrels. Therefore i added the following to my $app_home/config/environments/development.rb:

class ActionController::Base
  def x_send_file(path, options = {})
    send_file(path, options)
  end
end

So all calls to x_send_file in dev mode are delegated to the original send_file.

If anyone can present me a cleaner solution, i.e. with method aliasing, feel free to drop a comment.

Using rubyzip to create zip files on the fly

21-Jan-08

In my Daily Fratze project the users should be able to download their faces as a zip file backup.

Until now they have been able to upload zip files. For that, i used rubyzip which worked quite well.

As a starting point i found a nice article on the joy of rubyzip, but this has a major flaw for me. It uses the Zip::ZipFile interface to create its archives. This interfaces takes a filename as parameter and either creates this file if it doesn’t exists or tries to open it as a zip archive.

I doesn’t want my directories polluted by some random zip files so i tried to use TempFile. Creating a new TempFile leads to an existing file which Zip::ZipFile cannot open.

My solution uses the more basic interface Zip::ZipOutputStream. Further requirements were adding binary files with arbitrary names and not like in the examples of rubyzip, creating new files with some textual content. Here we go:

require 'zip/zip'
require 'zip/zipfilesystem'
 
t = Tempfile.new("some-weird-temp-file-basename-#{request.remote_ip}")
# Give the path of the temp file to the zip outputstream, it won't try to open it as an archive.
Zip::ZipOutputStream.open(t.path) do |zos|
  some_file_list.each do |file|
    # Create a new entry with some arbitrary name
    zos.put_next_entry("some-funny-name.jpg")
    # Add the contents of the file, don't read the stuff linewise if its binary, instead use direct IO
    zos.print IO.read(file.path)
  end
end
# End of the block  automatically closes the file.
# Send it using the right mime type, with a download window and some nice file name.
send_file t.path, :type => 'application/zip', :disposition => 'attachment', :filename => "some-brilliant-file-name.zip"
# The temp file will be deleted some time...
t.close

Edit: The basename given to Tempfile.new is what the name says: A basename. It doesn’t need to denote a full path. Tempfile creates an arbitrary path for you in the default temporary directory.

Notes on RedHat / Oracle Enterprise Linux, ADS und Samba

17-Jan-08

Recently i needed windows clients to access a directory on the database server from which CLOBs where created. Since the server is an Oracle Enterprise Linux, i could follow the steps explained behind the following link to get Samba up and running with the Active Directory run by a Windows 2k3 server:

Which steps must be done to run Samba with AD-Integration

In short:

Setup Kerberos:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = WINDOWS.JARA23.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
 
[realms]
WINDOWS.JARA23.CO.UK = {
   kdc = server.windows.jara23.co.uk
   admin_server = server.windows.jara23.co.uk
   default_domain = windows.jara23.co.uk
}
 
[domain_realm]
.kerberos.server = WINDOWS.JARA23.CO.UK
.windows.jara23.co.uk = WINDOWS.JARA23.CO.UK
 
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Test this with

kinit admin@WINDOWS.JARA23.CO.UK

After entering a valid password, this command should give no error.

Setup a minimal Samba configuration:

#GLOBAL PARAMETERS
[global]
   workgroup = MIDGARD
   realm = WINDOWS.JARA23.CO.UK
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash
 
[homes]
   comment = Home Direcotries
   valid users = %S
   read only = No
   browseable = No
 
[printers]
   comment = All Printers
   path = /var/spool/cups
   browseable = no
   printable = yes
   guest ok = yes

Enable winbind, pam and other parameters with system-config-authentication.

Start Samba and join the domain with:

net ads join -U Administrator