windows – Misc Stuff

Windows NFS server permissions

One issue we recently ran into was linux nfs clients were blowing away inherited permissions on windows volumes. In order to allow rename/mv and chmod to work properly on an nfs (4 or 3) mount, you need to grant clients ‘full permissions’ on the directory they will be working in. This has the lovely side affect of a chmod, rsync, tar -xpf or anything that touches permissions completely changing the local permissions on that directory for ALL users/groups you may have assigned on NTFS

Create a directory, set appropriate ntfs permissions (Full permissions) with inheritance for multiple security groups
Share that directory out to an nfs client.
On the nfs client, mount the volume, and run ‘chmod 700 /mountpoint’
Go back into windows and notice you’ve lost all the inherited permissions you thought you assigned on that share.
Scratch your head, check the KeepInheritance registry key, run tcp dump.
Realize you need to place the permissions you wish to inherit in a place that the nfs client cannot change them.

How we now share volumes out is the following ‘X:\[projectname]\[data]‘

projectname – high level, NOT shared directory that is the holder of all permissions for a project (subfolders, etc).
- For groups/users that apply to your unix clients make sure they have full permission.
- For your windows only folks, ‘Modify’ is generally good enough.
data – directory that is actually shared out via cifs/nfs

So far this scheme is working pretty well and allows unix clients to work properly and do horrible things on local files while preserving the broader group permissions you wish to see on your windows clients.

Sharepoint 2013, the not quite getting it release

‘…Your Enterprise Social Network…’ well almost.

Compared to 2011, 2013 is clearly a large step forward. Document editing works and in my opinion is superior to the google docs alternative, the layout is much, much easier to navigate and at long last MS seems to have backtracked on their Document Libraries are not like shared folders stance. The Document library to Explorer integration and connection to office overall is much improved (read, it works).

With all the good things, there appear to be a few glaring omissions. Given the glaring holes, it appears that the Sharepoint dev group either does not eat their own dog food, or has a very convoluted day to day work process.

1. Following and forgetting.

You can follow sites and documents, but not folders. We’ve come across a number of times when sharing part of a document library (ie, working on a single presentation, collecting a limited set of documents, sharing small groups of ppts/word documents) is necessary. This works nice, click share type in your colleague’s name, then for the love of god, make sure your colleague doesn’t misplace that e-mail. There’s no way to follow that folder. I can follow every single document which is good until someone uploads another document. If its not a top level folder, browsing to that document library doesn’t show it :(.

2. Folders and a filesytem, but not really

Sharepoint 2010, don’t use folders and document libraries as file shares, in Sharepoint 2013 you mount a document library locally but folders are bad, use tags instead. NO! If you attach it to Explorer, it should behave like a filesystem, people will use it like a filesystem. Don’t give me a convenient way to access stuff, then say no.

Pretty much all the caveats about file size, characters, path length listed in the Migrating File Shares to Skydrive Pro blog post mean that Skydrive Pro is pretty useless for all but the most simple cases.

3. Finding s^$%

You know what’s nice, when someone shares something with you, or gives you access to something, not having to make a conscious effort to bookmark or follow it. Again, take a cue from Dropbox, google docs, if someone shares something, grants me or my group access it, call me crazy, but I probably want to easily access it. If I don’t, then leave the onus of removing it on me.

A possible solution, allow sharing to automatically add stuff to My Sites, or a shared document library. Don’t make me use search to find stuff that should be one click away.

4. Sharing, but not to everyone

Apparently MS only e-mails documents to folks outside of Redmond or only shares documents with people within their corporate borders. Box, Dropbox, Google docs, Pydio, and well pretty much everyone else lets me e-mail an obfuscated link to a document that will (shocker!) open that document or folder. Is it perfectly secure? No, however it definitely falls under the lets me get work done category.

And before you start, forcing my colleagues to get an outlook account and federating to outlook.com is not an acceptable solution (here’s looking at you Skype/Lync).

5. Its not a Windows world anymore.

Skydrive Pro and Sharepoint document syncing is wonderful… I love it, its corporate Dropbox for my office documents finally… And its a complete pain to support anyone that’s not running a PC attached to my domain. Telling your OS-X users to use the web to download/open documents isn’t a solution. Having to use the web browser on Android to retrieve documents, not a solution. If you’re not on Windows, you’re a second class citizen isn’t a solution. People have seen the future of document syncing and it looks and behaves like Box and Dropbox, please copy it.

On a related note: Box/Dropbox, give me an on-premise solution for sharing and you’ll probably end up giving Sharepoint a run for its money.

All in all, SP 2013 is a huge leap forward, document editing in office web apps is light years ahead of google docs, navigation, the overall layout, site templates, etc are incredibly powerful. Its a shame that MS is still determined to do things their way, as opposed to what is in the best interest of their customers.

Lync and Updates and 80240437

For future reference, disabling TLS 1.2 on your Lync 2013 standard edition frontend will break your ability to update windows server 2012. You’ll end up w/ error 80240437 that’s pretty damn useless. Meanwhile, manual installation of cumulative updates work, and your other (mediation, edge, monitor, etc) roles all work and patch fine, just your frontend is f’d. Hopefully you stumble across this technet post and look at the second to last post before you go down the rabbit hole. A light bulb will go off and you’ll remember the registry hacks you applied from here several months ago. To patch your server, you’ll need to disable the reg hacks by re-enabling TLS 1.2 (set disable to 0), running windows update, then re-enable the registry hacks. Afterwards, grab some rye and curse Microsoft.

More Lync Meeting testing

Just ran a mostly successful Lync 2013 meeting with folks that do quite a bit of video/teleconferencing already.

Some observations on how the meeting went:

1 participant joined via phone
1 via Windows 7, firefox and the web client, no problems
1 via OS-X, firefox and the web client, no problems
1 joined via Win8, 64bit and office 2013. Client would freeze when starting. Luckily there was a backup computer with similar specifications that did work
1 Win 7, office 2013 Lync client. Client would periodically slow down, audio/video stuttering, CPU load spiking at 100% (4 core, 8g ram!) then freeze. After 30s client would wake up and continue working with no problem.

Overall quality was significantly better than Adobe Connect, however the client issues were very disappointing. Hopefully they were one-off errors, however my hopes are fading that 2013 is a viable Adobe Connect replacement.

Sympa and Active Directory

Some basic steps on running sympa on Ubuntu 12.04 and using Active Directories Global Directory to auto-populate groups.

Ubuntu Notes

apt-get install sympa will give you a ‘mostly’ working version
Chown -R /var/lib/sympa sympa
The suid wrapper does not work on 12.04. You will need to create a sudo wrapper instead:
set use_fast_cgi 1 in /etc/sympa/wwsympa.conf
/usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.fcgi

#!/usr/bin/perl

exec '/usr/bin/sudo', '-E', '-u', 'sympa', '/usr/lib/cgi-bin/sympa/wwsympa.fcgi';

In apache/conf.d/sympa, change:

ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl

add the following line to your sudoers file:

www-data ALL = (sympa) SETENV: NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi

References:
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682562
- https://bugs.launchpad.net/ubuntu/+source/sympa/+bug/977828

LDAP/AD Bound Lists

If you only have one domain, then you can just use the following and point at one of your domain controllers.
If you want to use forest-wide groups, you have two options for accessing those groups.
This will work this either security or distribution groups, however will NOT include nested membership.
- In the ldap config for the group, point at the dc the group resides in. CHange suffix, host and user as appropriate, set use_ssl to yes, drop the :3268
- Make the group universal and use the global directory (route I chose)

LDAP Configuration

include_ldap_query
attrs mail
filter memberof=Some Group,OU=...,OU=...,DC=research,DC=domain,DC=org
ssl_ciphers ALL
name any_name
host dc1.mydomain.org:3268
use_ssl no
passwd your_password
timeout 30
suffix DC=domain,DC=org
user   CN=Read Account,OU=...,DC=domain,DC=org
ssl_version sslv2
scope sub
select first
ssl_version tls

References
- http://portal.gnenc.org/knowledge-base/-/wiki/Main/Sympa-Dynamic%20List%20Membership