Rob’s Tech Fun and Games

Just a quick sneaky trick – if you’re used to being able to run terminals as root, or you need to run a lot of commands as root, and are sick of having to type sudo every time, there is a sneaky way of increasing your privileges for the terminal sessions. 

Open a terminal, and run:

sudo su

and you have a terminal running as root!  running su by itself doesn’t work with Ubuntu … but if you sudo the command, it does.  Generally, this isn’t great practise – its too easy to make a mistake and damage the system, so use with caution!

Setting the hostname on an Ubuntu linux installation is pretty easy during the installation.  However, for a standard image to be dropped onto a wide range of machines, it really needs to be unique and set via a script.

We like to use the serial number of the PC in question, though this is more or less practical depending on the brand of PC.  Acer, for example, tend to have VERY long serial numbers – it may be unique, but its going to be harder to type than just an IP address.  IBM tend to use reasonable 7 digit strings, which is is much more usable.  Other brands can be longer or shorter.

Setting hostname itself seems easy – just run

hostname <newname>

(where sudo is used to run the command as root) in a terminal, and the hostname of the machine will change.  You’d think we were done, but unfortunately not!  This will only change the hostname until the next reboot.  On startup, the contents of the file

/etc/hostname

is used to set the  hostname.  To update this, I like to set the hostname for the current sessions, then run

hostname > /etc/hostname

(as root) which willoverwrite the file with the current hostname.  If running as part of a script on startup, this will set the hostname now, then update the file for future restarts.  However, we still aren’t done.  We need to update another file

/etc/hosts

with the details of the name for networking purposes.  We need to add the hostname, and any domain name aliases too.  The hosts file will probably look something like:

127.0.0.1                        localhost                 localhost.domain.local

127.0.1.1                        <hostname>

Update the hostname line, and add new aliases for the hostname for any domains that may be relevant.  At this point, the system is renamed!  However, this is all still pretty manual – ideally we need to script the process.

Now, to get the serial number, we can query the bios using the dmidecode command, and then process it usign the myriad of linux text handling commands.

dmidecode | grep “Serial Number” | head -n1 | sed -e ’s/\tSerial Number: //g’

(as root, again) should return the serial number from the bios!  We can combine this with the hostname command, as follows:

hostname $(dmidecode | grep “Serial Number” | head -n1 | sed -e ’s/\tSerial Number: //g’)

(once again, as root.) This will set the hostname to the serial number.

I actually combine all of the commands discussed to form a single script -

hostname $(dmidecode | grep “Serial Number” | head -n1 | sed -e ’s/\tSerial Number: //g’)

hostname > /etc/hostname

echo “127.0.0.1       localhost     localhost.domain.local” > /etc/hosts.new

echo “127.0.1.1     ”$hostname”     “$hostname”.domain.local” >> /etc/hosts.new

mv /etc/hosts.new .etc/hosts

This sets the hostname, then updates the hostname file.  It then generates a complete hosts file line by line, and overwrites the old version.  There are probably better ways of updating the text file directly, but this works effectively enough.

Finally, I set this script file (which I named hostname.sh) to run on system startup.  Simply copy the file to

/etc/init.d

and run (as root)

update-rc.d hostname.sh defaults

where hostname.sh is the chosen name for your script.  This will add the script to the startup scripts on the machine, where it will automatically be run as root.

Recently, I’ve been playing with Linux, specifically Ubuntu, in an attempt to set up a simple, maintainable client for virtual desktops.  Its been a fair while since I’ve used linux in a serious sense, so I thought I’d post up what I’ve done, as I progress (largely for my own reference, but hopefully others might find it of use!)

Key requirements are:

A virtual client!  In this instance, the vmware open client will need to be installed and configured on the desktop.  There are still limitations with the open client that may break the plan – limitations with remote media playback, and usb redirection are two areas in particular that may cause issues.

A working web browser!  Of course, Firefox is an obvious standard, installed with Ubuntu, so thats not much of a challenge, at least on the surface.  Beyond a working web browser, we need to possibly extend our server architecture to support browsers beyond Internet Explorer for our key wep applications, allowing a level of work to be carried out in the event of virtual desktop failures.  This is where things get a lot harder!

A standard environment across different hardware, locked down for the default user.   This is actually quite tricky.  By default, linux is designed to be easy to customise and configure, so locking it down to a single user, while allowing network proxy changes and wireless connections, is actually quite a challenge.  In addition, desktop launchers will need to be variable, depending on local printer installations for users on laptops with home printer (vmware-view allows you to redirect a printer, but you need to specifically do it by name).

An architecture to allow remote reconfiguration, support and updates across a company wide platform.  This is one of the worst areas – linux still lags quite badly behind the sort of architecture taken for granted on a Windows network when it comes to administration through global policies.  It’s still fundamentally a server operating system,and admin tools generally focus on supporting machines runnign in that capacity, not as clients.  This is the hardest area of all, looking forward to a possible roll out of well over a thousand machines world wide, with a technical team with no linux experience!  Keeping the client simple and cheap, allowing machines to be swapped instead of supported is a very high priority where possible.

Hopefully the next series of posts on this topic will be useful, although its quite a change of tack from SharePoint!  Don’t worry, as new SharePoint issues come up, I’ll still be posting on that topic too.

Tom commented on a post with the following problem, and I thought it merited a post.

“We have a MOSS 2007 FARM AND 3 DOMAINS all have a two way trust.  We have over 78 sites all of which stopped with no known reason from being able to find users that are in one of the domains we can find the users in the view profiles yet we can no longer find users using peoplepicker for any users from the one domain.

We have tried this command you have provided and they come back with commandline error
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:full domain name,-userlogin domain\username password –url http://webapp url”

It sounds like an interesting problem, but its difficult to answer without more information.  Incidentally, the profiles comment, about being able to view user profiles, is rather a red herring.  This is handled by an import process specified elsewhere in the SSP, and has nothing to do with the People Picker displaying users.

Lets discuss the stsadm command first.   Without knowing the specific error message, I can’t say why the command is failing, but there are two probable outcomes.   stsadm is not generally included in the default path for a windows installation, so if the error message is:

’stsadm’ is not recognized as an internal or external command, operable program or batch file.

The problem is simply that you need to find the appropriate location first.  The location is generally:

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>

so simple change directory to that path, and run the STSADM again.  It sounds obvious, but I must admit, I had a bit of a nightmare trying to find the stsadm path when I first started looking at SharePoint!

The other possibility is that the command has been run, but that the parameters haven’t been entered correctly.  If so, you get the terribly helpful response of :

Command line error.

Followed by a complete syntax reference for the command, and it sounds much more likely that this is the cause of the problem, from the notes in the question.  Unfortunately, this is quite a lot harder to discuss, as unsuprisingly people aren’t going to give the specific command line with all of their configuration details and passwords to be put onto a website, and the generic, censored versions are probably going to be correct, at least as far as it goes.

The best help I can give here is to put together a full hypothetical example, rather than just repeating the command syntax yet again.

Essentially, you first need to set an internal SharePoint encryption key, then tell the server what domains to add to the list, and what valid username and password to use to connect to the domain in order to pull back the list.  Don’t use administrator, btw!!!

To set the initial encryption key, use:

stsadm.exe -o setapppassword -password <yourencryptionkey>

To set the actual domain link, use:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword“

Of course, with two way trusts a single user name and password could be used if you granted the appropriate rights. 

What normally goes wrong putting this together?  Normally it is either the encryption key hasn’t been set first, or that construction of the domain list has a syntax issue (or that the surrounding quotes have been missed off).

As a rule, though, if you get a command line error when running stsadm, you have got the format wrong.  If the format is right, it won’t necessarily solve the problem (if your username or password is wrong, for example, it still can’t access the other domain information), but you’ll see the changes applied.  A good way of checking is to run:

stsadm.exe -o getproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests”

And it will show the details you’ve set (with passwords asterisked out).

What makes the problem Tom is experiencing interesting is that apparently the People Picker has been working, and now isn’t.  This, to me, implies that something has changed with the installation, or the Active Directory configuration.

Key things to check would be:

Has the system user context still got access rights to the domain that appears to be no longer accessible?  A two way trust means that user rights can be assigned … by default they arent.

Have the active directory servers changed?  If so, you may need to force DNS updates, otherwise resolution against the AD may be looking for defunct servers.

Has the stsadm command been run succesfully in the past, and the usernames and passwords have since changed (or expired)?  This will obviouslly drop off the people pickers ability to query the domain.

Has a security patch been applied against the domain, or has permissions to the Active Directory been changed?  By default, older systems allowed anyone to do a basic LDAP query against the Active Directory, but this was locked down.  If this loophole was previously being used instead of setting correct access rights for the security context of the wep application, it’ll obviously start causing this issue.

I hope this helps – Tom, if you’ve solved the problem, please let me know the solution

Well, I’ve reached 100 tweets, from various different devices, and thought I’d jot down my thoughts on the best tools on the various platforms.

First up – the iPhone!  I love the iPhone, and will shortly be upgrading to version 3.0!  Its my favorite platform for twittering generally, as I always have it with me.  I’ve tried a range of tools, but my favorite is Twitterrific, ever since their last version upgrade.  It does absolutely everything I need or want it to do, and is free, if you’re willing to put up with an occasional advert.  I also use Twitterfall, which is a pretty cheap application, and is by far the best tool for monitoring trending topics in the twitterverse.

Next – the BlackBerry.  My BlackBerry is provided by work, and until I got my iPhone was by far the best mobile device I’d come across – its still the best for corporate use and sending emails.  Here, I’ve recently been introduced to the delights of UberTwitter, which is excellent – the location plotting tools are brilliant if a little intrusive if you don’t notice them for the first few tweets!

Of course, posting tweets from the desktop is always useful!  The main Twitter site is always really useful.   The best tool for posting and monitoring tweets used to be Tweetree but I’ve found it a little unreliable of late.  Twitterfall is great on the desktop too, for monitoring trending topics.  Finally, for cordinating a group on Twitter, I’ve found Twibes to be simply great and very easy to use.

Are there other great tools on these platforms?  Absolutely!  These are just the ones that I, as a relative newbie to twitter, have found really accesible and highly useful!  I’d love to hear about others if people want to comment.

OK, before I get started here, let me clarify.  I’m predominantly a SharePoint administrator, not a developer, so these reviews are based around their use for installation and administration, as opposed to their use for a web developer!  If I think something would be useful for different roles, I’ll try and point it out, but do bear the viewpoint in mind as you read further.

With the disclaimer out of the way, lets get started with O’Reilly’s “Essential SharePoint 2007″ (You can find this at Amazon.co.uk and Amazon.com).  I’ve got mixed feelings about this book.  I used it a lot when getting started with SharePoint, and its a great reference when I go back to do something that I’m not doing frequently.  However, it lacks depth, and seems a bit unfocussed, covering areas that developers, administrators and users all need to know.  Almost the entire team I work with, both developers and admins, have a copy of the book and use it on occasion, but its not a great place to start, and not the best place to go for a detailed technical reference either.  I’d say its absolutely ideal for someone tackling SharePoint in a smaller company, where you need to have an understanding across the board, rather than specialising in a particular area.  In a larger company, its a great book if you occasionally work with SharePoint and want a solid technical reminder.

Surprisingly, one of the most useful books for me for SharePoint was  “Microsoft SharePoint 2007 for Dummies” (You can find this at Amazon.co.uk and Amazon.com).  This may be because I’m a dummy, or just my method of approaching a new technology.  I read through a simple introduction to the technology, to get a rough idea of how it works, what the components are, how they fit together, and what the terminology is.  Because I start with a simple, clear and concise book , I can pick up that information really quickly, then I can use that information to bootstrap myself up to the complex technical specifics, and actually get the most of the in depth technical references.  The “Microsoft SharePoint 2007 for Dummies” is perfect for this, providing a really solid introduction to the concepts and terminology.  I think it’d also be useful for a developer trying to understand how SharePoint fits together and is likely to be used, and very useful for a technical manager who just needs broad brushstrokes while his team does the detail work.

I wasn’t keen on the “Microsoft Office SharePoint Server 2007 Administrator’s Companion” (You can find this at Amazon.co.uk and Amazon.com).    Others may feel differently about it – many of the technical people I work with love the style in these Microsoft Press books.  I find that its too focussed on how to achieve specific goals by clicking specific buttons, rather than focussing on the particularly settings you need, and why they are needed.  Its more a philosophical difference than anything – I’m not just focussed on results, I need to know why I’m doing something.  I’ve found a solid understanding of a technology leads to much better results … and a much better ability to troubleshoot issues … than simply knowing what you need to click to achieve a particular goal.  Unfortunately, that’s the path Microsoft in general have taken with their books and courses, and increasingly seems to be the approach taken by the technical people I meet.  If thats what you want, this book is perfect.  I didn’t get on with it.  If you check the Amazon reviews, however, you’ll find most people love it.

“SharePoint 2007 The Definitive Guide” (You can find this at Amazon.co.uk and Amazon.com) was pretty good as a guide.  Some aspects are very good – its coverage of SharePoint installations and upgrades from 2003 is excellent, for example.  Its coverage of network topologies and security is also excellent.  Where this falls down, and where the Internet shines, is the fact that I’ve found you need to know how a range of technologies work together to cover many of the odder demands of a SharePoint installation.  If you publish a SharePoint site, you’ll probably want to use ISA Server 2006 to secure it, not just rely on SharePoint.  Using a SQL server on a different domain via SQL authentication isn’t uncommon for DMZ deployments.  This book is great for vanilla SharePoint installs, and is definitive for basic admin tasks, such as deploying and configuring basic sites, roles and permissions.  You’ll need to look elsewhere for any installs beyond the vanilla.  I rarely go back to this book, but I’d thoroughly recommend reading through it at least once, and using it as a reference if you’re actively looking after SharePoint sites, as opposed to looking after the architecture.  If you need to get to grips at level of the stsadm command line, you won’t find it here.

As a follow up query to the previous notes on working with the PeoplePicker and ADAM, I’ve been asked about the behaviour of the PeoplePicker – specifically, that it appears to only return external users if their username is specifically searched for, not if part of their name is entered.  Is there a way to get exactly the same results for users from AD and ADAM?  Unfortunately, there are pretty severe limits to this, and unfortunately, I don’t believe you can actually get the same results, though I’d love to be proven wrong.

By default, when dealing with custom authentication sources, including ADAM, the PeoplePicker only returns exact matches.  If I search for the username, it will find it.  If its a user already on the site collection, it can use the local user details.  However, to find non exact matches in a custom repository, you need to edit the WebConfig file, by adding the following section:

<PeoplePickerWildcards>
  <clear />
  <add key=”ADAMMembership” value=”*” />
</PeoplePickerWildcards>

Unfortunately, this solution isn’t perfect.  It effectively adds the wildcard symbol * to every search in the people picker.  Lets illustrate this step by step, using a Pat Smith as an example name.

If I search for “Pat”, before updating the web.config file, they’ll only appear with the full name in the results if they’ve already been added to the site somewhere, or if they’re actually in the Active Directory repository.

If I search for “Pat” after updating the web.config file, all the Pats from the ADAM repository and from AD will appear.   Problem solved?  No.

If I search for Smith, as a surname, I’ll get all the Smiths from AD, but not from ADAM.   Thats because the search going to ADAM is actually like “Smith*”.  It’ll find everything starting with Smith, not all names containing Smith, and I haven’t come across any variations that will actually resolve this search issue.  However, you’ll probably find that this is a significant step forward in any event.

As always with SharePoint, make sure you edit all of the relevant web.config files.  You may find SharePoint is happier if you run

iisreset -noforce

after making the change, although in theory you shouldn’t need to - as a rule of thumb, major changes to web applications within SharePoint can have odd consequences otherwise.

In a stroke of rare genius, applying SharePoint SP2 to SharePoint 2007 has a strange effect – it resets the license type to become a 180 day trial version!

Its not a major issue – reapplying your license key in the “Convert License Type” section in Central Administration will reset it, and you won’t have lost any data in the meantime, but its something you need to be aware of…. otherwise you might hit more than a few issues in about 6 months!

One of the comments on my PeoplePicker post asked some questions about the way PeoplePicker works with ECTS – the External Collaboration Toolkit for SharePoint.  To be honest, I haven’t worked with the ECTS myself, but I understand the theory.

The ECTS uses Microsoft’s ADAM – Active Directory Application Mode – to act a a user repository, which gives you a SharePoint structure that should resemble the following:

External Collaboration Toolkit for SharePoint Architecture

Getting the PeoplePicker to work correctly with this is difficult, but not impossible.  The question asked was what could cause the PeoplePicker to fail to return AD users when logged in as an external user?   Of course, as is often the case with comments on blogs, there really isn’t anywhere near enough information about the setup to answer accurately.

My first guess would be that the PeoplePicker has actually been deliberately configured that way.  It is a potentially huge security risk to allow external users to see all the usernames of your company, which is why many people using ADAM authentication run the following command:

stsadm -o setproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes

This command deliberately stops PeoplePicker returning internal AD users when logged in via forms based authentication outside of windows, including using ADAM.  You can tell if this is turned on by running:

stsadm -o getproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode

If this is the problem, you can turn the security feature off by running:

stsadm -o setproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv no

And your PeoplePicker should leap back into life for all users.

However, there are still some quirks with using the PeoplePicker with ADAM, even if AD users are allowed to respond.  Take a look at Matt Morse’s excellent blog on how the PeoplePicker returns different results from ADAM than you might expect if you are used to working with normal windows authentication.

EDIT:-

As always, after applying stsadm commands to your SharePoint installation, don’t forget to either reset IIS or the relevant application pool.