Behold, the The Objective Rack - Mark IV!
This whole rack-rebuild project took most of Saturday. Thankfully everything of mine came up ok afterwards. Unfortunately a friend's server (that I've started hosting as of last weekend) didn't come up so easily. After a whole night of frantic tinkering attempts, I backed up all the data I could salvage and we reinstalled it this morning.
This is but the latest in a continual cycle I go through....
1) Build rack all nice and neat
2) Use new setup for a while
3) Gradually decide to change things over time (add new machines, remove old machines, etc.)
4) Decide that the once-elegant rack has become a mess of tangled wires and ad-hoc mounting
5) Tear it down and repeat from step 1.
As I said, this is the 4th iteration of my attempts at building a rack of computer equipment for my personal use. Here's the history in chronological order:
Mark I - Moved to an apartment in Florida, bought the rack in the process, got everything all setup. Many of my systems weren't rackmount, so I used a lot of rack-mount shelves.
Mark II - Upgraded a lot of equipment, had a lot of new stuff to mount (including an E4000 and a big RAID box), and took the desktops out of the rack. First use of the term "objective rack".
Mark III - Moved from the apartment to a house, finally had the proper mounting kit for the E4000, needed to get everything setup again.
Mark IV - Retired some of the more power-hungry equipment (E4000 and big RAID box), changed a lot of systems around, had some new equipment and cable-guide stuff to integrate.
Prior to the rack, I went through a series of wire-shelf-based setups. These began my sophomore year of college with this setup, and continued with a new iteration every academic year.
Sunday, December 18, 2005
Tuesday, December 06, 2005
Fun with LDAP and Kerberos
Several weeks ago I decided that I want my firewall to no longer be a Solaris machine, and that I wanted a dedicated authentication/utility server. The goal was to decouple my internal utility services (authentication, DNS, NTP, etc.) from my main servers. So I dug up a cheap 1U server, put FreeBSD on it, made it my firewall/internal-router/external-DNS/etc. box, and took my Netra T1 out of production.
Since the Netra T1 was to be the new auth server, I began last week by blowing away its prior installation and giving it a fresh load of Solaris 10. (note: always remember to make the small dedicated partition for the SVM metadb replicas *before* installing Solaris) I then got my internal DNS migrated to it, as well as NTP.
For a while, I was running good 'ole NIS to do my distributed user accounts. Of course its an old protocol, and everyone says to upgrade, but it "just f**ing works", and I can configure it in my sleep on just about any *nix. Of course the whole point of this auth server was to try something new. Originally I knew I wanted to take a shot at LDAP again, as I've tried (and failed) before, going back to NIS. As I approached this past weekend, and did some reading, I decided to take a bigger chunk and try LDAP with Kerberos.
So on Saturday I brought the Netra out to the LEAP Installfest, and started getting OpenLDAP and the Kerberos that comes with Solaris (SEAM) all installed and configured. By Sunday afternoon, I was still tinkering, and things still weren't yet working right. I figured out how to migrate my NIS accounts into LDAP, knew how to make users in Kerberos, but client authentication just wasn't working right. (it sort-of worked to my FreeBSD server, and didn't work with my Solaris one) I spend way too much time staring at PAM debuging output, and continued to be baffled.
So I said f*ck it, pulled out OpenLDAP, and went and installed "Sun Java System Directory Server 5.2". (which used to be called SunONE *something*, which used to be called iPlanet *something*, which used to be Netscape *something*) The name sounds fancy, but it really is just an LDAP server with some graphical (and the usual command-line) admin tools.
After tinkering all night, it was almost working. In the morning I figured out the magic extra LDAP user parameter to finally get authentication working. So by sometime Monday morning, I could do name lookups and authentication against the SJSDS LDAP server from both my Solaris and FreeBSD servers. However, while I had SSL configured on the LDAP server, it wasn't reaching down to the clients.
I spent all of last night attacking the SSL issue... You see, LDAP isn't really a good authentication protocol (which is different from an authorization/lookup protocol, which it is decent at). Without SSL, you have 2 authentication types... simple (your client sends your password IN CLEAR TEXT over the wire to the LDAP server), and CRAM-MD5/DIGEST-MD5 (the password isn't in the clear on the wire, but it is IN CLEAR TEXT in the LDAP database itself. (thus breaking my desire for password-hash compatability with the data I imported from NIS) In any case, but the end of the night, I got simple authentication with SSL working. Thus, no cleartext passwords anywhere.
Then tonight I got brave again... You see, the Sun JSDS docs do have a good writeup on integrating Kerberos. But when I initially tried it, the ns-slapd process (the LDAP server itself) kept core-dumping. Apparently, this was a known issue according to the release notes, and there was even a fix (which worked!). So as of the middle of this evening, I actually succeeded in getting LDAP+Kerberos fully functional across all my remote-access systems. I even figured out how to convince PAM on my Solaris server to use SSL LDAP authentication for users that don't yet have a Kerberos principal. (couldn't figure out how to tweak PAM to do that seemlessly on FreeBSD, though.) Now that Kerberos is working, its only a matter of time before I find myself fully taking advantage of what it has to offer.
In any case, I think I've conquered LDAP+Kerberos. Next step is to eventually get around to figuring out exactly what I did, and producing a detailed technical writeup to help others in the future. (sure, the web is full of such writeups, but they're all partial and I needed to piece together hints from all of them to get things working.)
Since the Netra T1 was to be the new auth server, I began last week by blowing away its prior installation and giving it a fresh load of Solaris 10. (note: always remember to make the small dedicated partition for the SVM metadb replicas *before* installing Solaris) I then got my internal DNS migrated to it, as well as NTP.
For a while, I was running good 'ole NIS to do my distributed user accounts. Of course its an old protocol, and everyone says to upgrade, but it "just f**ing works", and I can configure it in my sleep on just about any *nix. Of course the whole point of this auth server was to try something new. Originally I knew I wanted to take a shot at LDAP again, as I've tried (and failed) before, going back to NIS. As I approached this past weekend, and did some reading, I decided to take a bigger chunk and try LDAP with Kerberos.
So on Saturday I brought the Netra out to the LEAP Installfest, and started getting OpenLDAP and the Kerberos that comes with Solaris (SEAM) all installed and configured. By Sunday afternoon, I was still tinkering, and things still weren't yet working right. I figured out how to migrate my NIS accounts into LDAP, knew how to make users in Kerberos, but client authentication just wasn't working right. (it sort-of worked to my FreeBSD server, and didn't work with my Solaris one) I spend way too much time staring at PAM debuging output, and continued to be baffled.
So I said f*ck it, pulled out OpenLDAP, and went and installed "Sun Java System Directory Server 5.2". (which used to be called SunONE *something*, which used to be called iPlanet *something*, which used to be Netscape *something*) The name sounds fancy, but it really is just an LDAP server with some graphical (and the usual command-line) admin tools.
After tinkering all night, it was almost working. In the morning I figured out the magic extra LDAP user parameter to finally get authentication working. So by sometime Monday morning, I could do name lookups and authentication against the SJSDS LDAP server from both my Solaris and FreeBSD servers. However, while I had SSL configured on the LDAP server, it wasn't reaching down to the clients.
I spent all of last night attacking the SSL issue... You see, LDAP isn't really a good authentication protocol (which is different from an authorization/lookup protocol, which it is decent at). Without SSL, you have 2 authentication types... simple (your client sends your password IN CLEAR TEXT over the wire to the LDAP server), and CRAM-MD5/DIGEST-MD5 (the password isn't in the clear on the wire, but it is IN CLEAR TEXT in the LDAP database itself. (thus breaking my desire for password-hash compatability with the data I imported from NIS) In any case, but the end of the night, I got simple authentication with SSL working. Thus, no cleartext passwords anywhere.
Then tonight I got brave again... You see, the Sun JSDS docs do have a good writeup on integrating Kerberos. But when I initially tried it, the ns-slapd process (the LDAP server itself) kept core-dumping. Apparently, this was a known issue according to the release notes, and there was even a fix (which worked!). So as of the middle of this evening, I actually succeeded in getting LDAP+Kerberos fully functional across all my remote-access systems. I even figured out how to convince PAM on my Solaris server to use SSL LDAP authentication for users that don't yet have a Kerberos principal. (couldn't figure out how to tweak PAM to do that seemlessly on FreeBSD, though.) Now that Kerberos is working, its only a matter of time before I find myself fully taking advantage of what it has to offer.
In any case, I think I've conquered LDAP+Kerberos. Next step is to eventually get around to figuring out exactly what I did, and producing a detailed technical writeup to help others in the future. (sure, the web is full of such writeups, but they're all partial and I needed to piece together hints from all of them to get things working.)
Monday, October 31, 2005
Reflections on uber-geekness...
As extreme and weird as we may seem in our computer-related projects, the truth is that we're often doing the same things as normal users. Its just that we find much more sophisticated ways of accomplishing them...
Normal people use laptops to get computing anywhere in the house.
Ubergeeks deploy a server infrastructure with a hot-desktable thin-client solution.
Normal people check e-mail through their ISP or something like gmail/hotmail/etc.
Ubergeeks run their own e-mail server with IMAP+SSL, SMTP AUTH, and server-side mail filtering.
Normal people use their desktop PC when they need to run a Windows application.
Ubergeeks install Windows 2000 Server on a SunPCi card in their Sun enterprise server and install Citrix Metaframe Presentation Server to provide multi-user Windows application access authenticated through Samba, and still refuse to play Snood.
Normal people listen to MP3s with WinAmp or iTunes off their desktop's hard drive.
Ubergeeks mount an NFS export from their RAID file server and play the MP3s in XMMS.
Normal people watch movies off their DVD player or their cable services.
Ubergeeks construct network-booted machines running MythTV to stream movies off their RAID file server.
Normal people buy telephones at Walmart and use them to talk to their friends.
Ubergeeks run Cat5e across their houses, and deploy an IP Telephony solution through an Asterisk box.
Normal people think a "router" is an $80 Linksys box you buy at CompUSA that lets them connect multiple PCs to the internet.
Ubergeeks think a "router" is a multi-service rackmount Cisco device with ethernet, T1, and frame-relay interfaces, capable of supporting OSPF and BGP.
Normal people use laptops to get computing anywhere in the house.
Ubergeeks deploy a server infrastructure with a hot-desktable thin-client solution.
Normal people check e-mail through their ISP or something like gmail/hotmail/etc.
Ubergeeks run their own e-mail server with IMAP+SSL, SMTP AUTH, and server-side mail filtering.
Normal people use their desktop PC when they need to run a Windows application.
Ubergeeks install Windows 2000 Server on a SunPCi card in their Sun enterprise server and install Citrix Metaframe Presentation Server to provide multi-user Windows application access authenticated through Samba, and still refuse to play Snood.
Normal people listen to MP3s with WinAmp or iTunes off their desktop's hard drive.
Ubergeeks mount an NFS export from their RAID file server and play the MP3s in XMMS.
Normal people watch movies off their DVD player or their cable services.
Ubergeeks construct network-booted machines running MythTV to stream movies off their RAID file server.
Normal people buy telephones at Walmart and use them to talk to their friends.
Ubergeeks run Cat5e across their houses, and deploy an IP Telephony solution through an Asterisk box.
Normal people think a "router" is an $80 Linksys box you buy at CompUSA that lets them connect multiple PCs to the internet.
Ubergeeks think a "router" is a multi-service rackmount Cisco device with ethernet, T1, and frame-relay interfaces, capable of supporting OSPF and BGP.
Friday, October 28, 2005
A necessary evil...
Yup, I'm talking about Windows here. As much as I normally avoid it, the need to use it does occasionally crop up. It could be when the g/f wants to go to some ActiveX game-tracking ESPN site, someone actually *needs* to use MS Office (the real thing), or when I want to run some embedded development software written for low-end Windows tinkerers.
Of course your usual Windows desktop is useless for this, give how my computing setup is presently designed. Outside of my personal desktop in my computer room, all my "around the house" computers basically consist of SunRay thin clients. (which provide an X-based desktop running Gnome served off a Solaris machine) Even with VNC (which is slow and crappy) or "Remote Desktop" from a normal Windows machine running your average desktop version of Windows, I'd still run into problems once more than one person wanted to use the thing at a time.
So, what I need is a mult-user remote-desktop-capable Windows machine...
For the hardware, I've got a SunPCi II card currently sitting in my Sun Blade 1000 workstation. This is a machine I plan to turn into a server soon to replace the Sun E420R which I've been using as an interim server since I decided that my Sun E4000 used too much power. In any case, I've been using the SB1000 for tinker purposes lately, so it was perfect to test out some things on. Now the SunPCi II was basically a 600MHz Celeron with 192MB of RAM on a PCI card inside the Sun. I've since upgraded it to a 743MHz Pentium III (1GHz P3 with a 100MHz FSB... darn clock multiplier locks). I also need to add RAM.
For the software, I basically had two choices... Windows 2000 Server or Windows 2003 Server. Since the SunPCi II software only supports Win2k Server, my decision was made there. So I got that installed and running. Unfortunately, to my dismay, the "Terminal Services" in Win2k server (remote desktop backend) only supported 8-bit color, and might not work as well as desired for the serial ports. Thankfully, there was an alternative... (I know WinXP Pro would have worked, but it would have failed my multi-user requirement if both users wanted to be using at the same time.) I dug out this wonderful product called Citrix Metaframe XP Presentation Server. (3rd party remote desktop up the wazoo) Not only did it work with serial ports, but I even got login music (which I promptly disabled).
Now there was just one piece of the puzzle left... authentication. So I went ahead, and once and for all figured out how to get Windows domain-style logins running through my Samba server. Now all my normal "Logicprobe accounts" can also be used to log into this Windows machine.
(I'll have to set this all up again when I rebuild that SB1000 into a server, but at least I've done a test run of everything and know it will work.)
Of course your usual Windows desktop is useless for this, give how my computing setup is presently designed. Outside of my personal desktop in my computer room, all my "around the house" computers basically consist of SunRay thin clients. (which provide an X-based desktop running Gnome served off a Solaris machine) Even with VNC (which is slow and crappy) or "Remote Desktop" from a normal Windows machine running your average desktop version of Windows, I'd still run into problems once more than one person wanted to use the thing at a time.
So, what I need is a mult-user remote-desktop-capable Windows machine...
For the hardware, I've got a SunPCi II card currently sitting in my Sun Blade 1000 workstation. This is a machine I plan to turn into a server soon to replace the Sun E420R which I've been using as an interim server since I decided that my Sun E4000 used too much power. In any case, I've been using the SB1000 for tinker purposes lately, so it was perfect to test out some things on. Now the SunPCi II was basically a 600MHz Celeron with 192MB of RAM on a PCI card inside the Sun. I've since upgraded it to a 743MHz Pentium III (1GHz P3 with a 100MHz FSB... darn clock multiplier locks). I also need to add RAM.
For the software, I basically had two choices... Windows 2000 Server or Windows 2003 Server. Since the SunPCi II software only supports Win2k Server, my decision was made there. So I got that installed and running. Unfortunately, to my dismay, the "Terminal Services" in Win2k server (remote desktop backend) only supported 8-bit color, and might not work as well as desired for the serial ports. Thankfully, there was an alternative... (I know WinXP Pro would have worked, but it would have failed my multi-user requirement if both users wanted to be using at the same time.) I dug out this wonderful product called Citrix Metaframe XP Presentation Server. (3rd party remote desktop up the wazoo) Not only did it work with serial ports, but I even got login music (which I promptly disabled).
Now there was just one piece of the puzzle left... authentication. So I went ahead, and once and for all figured out how to get Windows domain-style logins running through my Samba server. Now all my normal "Logicprobe accounts" can also be used to log into this Windows machine.
(I'll have to set this all up again when I rebuild that SB1000 into a server, but at least I've done a test run of everything and know it will work.)
Thursday, October 27, 2005
Ahh, the joys of geeking out...
On Saturday I was visiting a friend of mine who recently bought a house over in the Winter Springs area. While there, I ran across a CD he had of a game from Sierra called Alien Legacy. I remember playing this game from hours on end, and it took me back.
So the next day, when at home, I decided to get out my bad-ass gaming box. This thing has specs that'll make you drool. The box is a loaded 486DX-33MHz with a whopping 16MB of RAM (probably worth about $800 retail), a fantastic Number Nine #9GFX VESA Local Bus (VLB) graphics card, Sound Blaster 16 sound card, and an Adaptec ISA SCSI card. That's right... Both the CD-ROM drive and hard drive are SCSI. I even wound up upgrading from the 400MB drive I was using to an enormous 2 "gigabyte" hard disk. And for the heck of it, I also decided to order a VLB SCSI card to replace the ISA one I had. This thing's definitely a screamer, and no idea how I got my hands on it :-)
Needless to say, Alien Legacy ran really well on it.
Oh, wait... It's 2005, not 1993... That machine's probably someone's old junk collection that they'd pay me to take away. :-D
Well, in reality, its a machine I decided to build a couple years ago with the goal of being the uber-dream-machine from 1993'ish, to run those old games really well. At this point, the only other upgrade I'd even consider would be for a 408DX2-66, simply because TIE Fighter can get jerky at times.
In any case, I also chose a fitting name for this machine... Phologiston.
So the next day, when at home, I decided to get out my bad-ass gaming box. This thing has specs that'll make you drool. The box is a loaded 486DX-33MHz with a whopping 16MB of RAM (probably worth about $800 retail), a fantastic Number Nine #9GFX VESA Local Bus (VLB) graphics card, Sound Blaster 16 sound card, and an Adaptec ISA SCSI card. That's right... Both the CD-ROM drive and hard drive are SCSI. I even wound up upgrading from the 400MB drive I was using to an enormous 2 "gigabyte" hard disk. And for the heck of it, I also decided to order a VLB SCSI card to replace the ISA one I had. This thing's definitely a screamer, and no idea how I got my hands on it :-)
Needless to say, Alien Legacy ran really well on it.
Oh, wait... It's 2005, not 1993... That machine's probably someone's old junk collection that they'd pay me to take away. :-D
Well, in reality, its a machine I decided to build a couple years ago with the goal of being the uber-dream-machine from 1993'ish, to run those old games really well. At this point, the only other upgrade I'd even consider would be for a 408DX2-66, simply because TIE Fighter can get jerky at times.
In any case, I also chose a fitting name for this machine... Phologiston.
Subscribe to:
Posts (Atom)