Skip to content. | Skip to navigation

Personal tools

Sections
You are here: Home / Sonstiges / Usefull insigths

Usefull insigths

Here I collect short descriptions of solutions I found by painfully trying. Hope it helps.

Print Accounting with Kyocera and Linux

Changes to be made in the PPD-File to send print accounting keys to a Kyocera (TaskAlpha 5551) printer

 

The code below will add a password field with 5 digits to the printer properties. This is sent as accounting number. It works e.g. with Firefox. For other (older ?) programms you still have to add all valid keys (+lots of invalid keys for "statistical" security) according to the pattern of the line above the dots.
*% Management Code Definitions
*OpenUI *KmManagment/Auftragsz<E4>hlung: PickOne
*OrderDependency: 60 AnySetup *KmManagment
*DefaultKmManagment: Custom
*KmManagment Off: ""
*KmManagment MG00268/00268: "(00268) statusdict /setmanagementnumber get exec"
...
*CloseUI: *KmManagment
*% Management Code Definitions
*CustomKmManagment True: " statusdict /setmanagementnumber get exec"
*ParamCustomKmManagment Kopiernummer: 1 passcode 5 5

 

 

Getting Rid of Gomobile in plone

some more deleting of gomobile - read other pages to find stuff in the zope-configuration interface

I used wildcard.fix-perisitent-utilities. Wenn started for the site root it crashed with a type error in line 185 (get set descriptor as argument for encodeb64). It could be started from the plone root and I manually requested to remove the gomobile interface class (the one that shows up in the error message when trying to modify extensions). Then it could be started from the site root and actually re-added that class (and some more) as a fake class.

Now suddenly everything works normal (I hope it stays that way).

Wake Nexus 4 from deep hibernation & battery empty

Google asks to hold "volume down" and "power" to hard-reset your mobile. If the battery is realy empty. you have to:

deconnect charger

hold the keys and while holding them

reconnect charger

Free HD Space Windows 7,8

have a look into

<every user folder> -> AppData -> Local -> VirtualStore

many deinstallers forget data there.

Zyxel NWA 1123 repeater mode and VLANs

Seemingly the repeater cannot tag packets. It is not possible to use several IDs on the repeater. Disable VLAN on the repeater or (almost) nothing will work. (12/22/2014, hope Zyxel fixes that)

If you want the data from the repeater put into a VLAN you have to set that ID in the SSID offered for repeating by the Root-AP on the RootAP. All packets from the repeater will receive that ID.

To remotely manage the Repeater it will need a LAN-IP Address supported by that one VLAN-ID (no VLAN meens no managment-VLAN).

The repeater does not repeat other SSIDs defined on the Root-AP. All SSIDs have to be defined locally and cannot be defined on the band used for repeating. This band is effectively "lost" for the repeater, wich is not a bug but a smart decision considering throughput.

Caveat: If you do not specify other SSIDs on the (other band of the) repeater it will offer access to the SSID used for repeating WITHOUT SECURITY; seems to be some fallback mechanism.

dnssec and (vs) ntp

Specify at least one time-server by IP

Otherwise if system time is too different from real time, dnssec will prevent ntp from resolving names as all certificates are outdated.

Thus NTP cannot set the time and the problem will not be resolved automatically.

nginx map breaks positional parameters in rewrite

This seems to be a known problem and might be fixed in the future.

 

using $1,$2 in rewrites that take place after map has matched something fails.

so use named parameters instead

 

rewrite a(.*) yolo$1

becomes

rewrite a(?<myname>.*) yolo$myname

openssl 0.9.8 to openssl 1.0.x CA certificates stop working

You will _not_ have this problem if you completely reinstall everything.

Using a binary linked to libssl 1.x in an 0.9.8 environment will show all certificates as invalid. This is because the root certificates are hashed with a different hash function in 1.x.

You have to download the 1.x distro from openssl.org, Then call the included c_rehash as "c_rehash -n <the certs directory>". You must use the one from the download, not the default one AND  make sure the OPENSSL environment variable points to a 1.x openssl binary. Then -n will prevent the old links from beeing deleted, so your 0.9.8 software will continue to operate.

Identical computers some have net some don't

Some of your computers - identically set up like the others - cannot connect to the server, no dhcp, no ping no nothing

You are probably using trunking on on of your switches. Some switches implement "load balancing" by distributing packets to the different ports according to some hash value of the MACs involved. A part of the trunk has lost connection, so some MACs effiently are blocked.

Watch for identical MACs

By rule this never should happen, but it does

Computers in the same broadcast domain work perfectly one used alone, but fail when used simultaneously: Check their MAC addresses! Some vendor managed it to deliver four computers with identical MACs to us. This happens when you set the MAC by software (why ever) an then clone the drives.

Plone language translation not working anymore

i18n translate does not translate

The symptoms are these: 3d party pinned stuff is still translated. Stuff from new packages is not translated although the content language is set correctly.

Whith Plone 4 the .po files are not automatically compiled to .mo files. You have to add this to your buildout:

 

environment-vars =
zope_i18n_compile_mo_files true

 

VLAN Mikrotik Switch

To match only untagged packets in Mikrotik ingress-vlan-translation you have to set a customer-vid of 0. This cannot be done from the graphical interface in 6.32 (bug). You have to use the ssl/telnet interface.

freeradius primary ldap gid per client

How to allow certain primary ldap groups on certain accesspoints with freerardius and tunneled eap sessions

The client is known to the outer (default) session, but the gid is only known to the inner (inner-html).

->add new dictionary entries

ATTRIBUTE williGID 3000 integer
ATTRIBUTE williAllowedGID 3001 integer

->add list of allowed gids in hints

DEFAULT NAS-IP-Address == 192.168.72.3
williAllowedGID = 1003,
williAllowedGID += 101

->get gid assigned in ldap module

control:williGID := 'gidNumber'

->check it in authorize part of inner.tunnel

if (&outer.request:williAllowedGID){

if (&outer.request:williAllowedGID[*] == &control:williGID){
noop
}
else{
reject
}

 

Selinux audit2allow comes up with new rules

everytime you run it

Kernel/Audit are dropping stuff.

read this:

http://blog.siphos.be/2015/05/audit-buffering-and-rate-limiting/

flush before fork

or the stuff gets written twice

If you use a buffered output function like fprintf you have to flush the associated filedescriptor/stream before calling fork, otherwise the buffer will be duplicated by fork an the output is written twice.

Mikrotik switch acl invert

Be careful with "invert" from the GUI

This is about the ACL part of the switch part. This is not for general RouterOS, but as in the cheaper switches the RouterOS part is connected with 1Gb/s to the switch while the switch works at 10Gb/s per SFP+ Port, you have to use vlan/acl from this menu.

Seemingly "invert"  in the "new ACL" dialog does not only invert matching for ports (as suggested by the surroundig box) but for everything, so you mostly end up matching way more than you want,

I wanted to match all dhcp server packets not from the uplink port, but it matched all not (dhcp server packets from the uplink port) and completely locked me and everybody out. So I hat to connect to the serial port (only other choice: full reset) to fix this. 

Btw. the pinout for the serial cable on the mikrotik website is flipped. Check out pinouts for "Cisco serial" to see better descriptions. And finally: a speed of 115200 worked for me.  

Selinux transitions on nosuid mounted partitions

So you have a nice nosuid mounted directory for chroot/lxc But you cannot transition into your desired selinux context

-> selinux does not transition to entry-points on nosuid partitions unless the contexts are nested by typebounds. 

You will find long stories about why in the web.

use openssl engine pre command

supply PIN to ssl engine

In order to use a parent key with a password you have to run openssl als single command and issue the sub-commands interactively

openssl

> engine ... -pre PID:mysecret

> req ...

Selinux blocks instruction and audit2allow says "already allowed"

you are probably using typebound security classes

Anything allowed in the "lower" class must be allowed in the "upper" too, in order to be executed.

Audit2allow / Audi2why will always blame the "lower" class for this although the change needs to be done in the "upper".

Restore Office365 onpremise synchronisation

change immutableids to match objectguids

Windows associates on premise Accounts with Azure AD by comparing the ObjectGUID from the local Account to the immutableID of Azure.

The following scripts use the email address as unique identifier to rejoin local and remote accounts:

 

Get the ObjectGUIDs ( example on linux, can be windows too):

 

ldapsearch -h <host> -p 3268 -D "cn=<admin>" -b "ou=<where the users are>" -W -x -s sub sAMAccountName objectGUID > /tmp/immutables

Format and create Email-Adresses:

cat /tmp/immutables | awk '/^objectGUID/{a=$2;}/^sAMA/{print$2"@<company.com>",a}' > /tmp/match

Now we switch to a Windows computer.

Copy the /tmp/match file to that computer

Start Powershell

Install-Module -Name AzureAD

Connect-AzureAD

Login with administrator credentials

set-executionpolicy remotesigned

Create Backup of old immutableIDs (max 2000)

Get-AzureADUser -top 2000 | Select-Object userprincipalname,immutableid > C:\users\public\BackupImmutable.txt

Set new immutables:

cat <wherever match is> | ForEach-Object{$mail,$immut=$_.split("");Set-AzureADUser -ObjectId "$mail" -immutableid "$immut"}