So, Fathers day.
A bit complicated for me. Stressful.
I love my family. Nothing to do with that. I was stressed. Nervous. Agitated.
Why? I don't know. I had to return to this post for final editing weeks later. I guess it mainly has to do with not seeing my father for over a year now. A lot of strange, conflicted emotions over that. Understandable I guess.
It was a good day overall. Emilie is old enough to 'get' holidays now. So she bought me a gift. Was very tickled with the whole concept of a 'daddys day'.
Kids are great. You learn so much about yourself by interacting with them.
Tuesday, June 19, 2007
Saturday, June 9, 2007
Microsoft's implementation of Kerberos
I'm going to go on a technical rant for a moment, because none of this information seems to be accumulated in one spot anywhere.
You can read about how kerberos was developed by MIT, and how it's a fine idea and so forth at wikipedia. What I'm ranting about is how Microsoft implemented it in their active directory, and why it has a bunch of undocumented problems that large (or anally secure) organizations will run into eventually.
The first problem an organization will hit upon, the tip of the God damn iceberg, is that for some reason, some users in the environment will all the sudden no longer get their home drives. Strange things will happen with DFS mappings that work for everyone else. Group policies will cease to be enforced. If you have DCs in slow connection site (especially over vpn or other small packet traffic connections), the DCs will get out of sync.
You'll probably start to see issues when users are a member of around 130 groups. Yes, this includes default groups and nested group relationships. And distribution lists. Not really that hard to get there in any complex environment.
When this happens, fire whoever designed your active directory structure. Start over. You're headed into pain-in-the-ass land. If you can't (say you have SOX audits and other bullshit to deal with), then read on.
The reason you're having issues is that Microsoft by default sends the entire fucking kerberos authentication in one UDP packet. Jesus Christ, talk about stupid. As any network engineer (or even some non-network engineers) can tell you, UDP can't be fragmented. So when your kerberos packet gets too big, it stops working. The machine you're authenticating with will only get the info that fits into the first packet. This could mean you don't get access to an application you should, etc. I found it consistent that users with large kerberos tickets wouldn't get group policy applied at all. Home drives also stopped working. DFS permissions behaved oddly. Sometimes you'd only see 1/3 of the directories you should.
All this can be fixed by doing this: http://support.microsoft.com/kb/244474/en-us.
For the lazy, all machines (servers and workstations) will need this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
MaxPacketSize=dword:00000001
MaxTokenSize=dword:0000ffff
This should be put into the group policy that applies to every machine in your environment. All domain controllers, servers, workstations, etc. It's imperitive that all these machines can pass kerberos tickets using TCP instead of UDP.
Not so bad right? Hit a brick wall with authentication, so you patch or push a reg key change to every fucking machine and reboot your whole environment. Jesus, try to do it during Microsofts monthly patch cycle or something so your management team doesn't think you're a bunch of retards or something. I can't convey to you the look of disgust I got from management when I explained this problem (Microsoft won't call it a bug). A seriously lack of forward planning from the Microsoft development team here.
But I digress.
Next, you're start to run into more issues with any application that runs in IIS. This will crop up when users get into the 350 group membership range. It's variable, since the test of the group name and SID get dumped into your kerberos ticket.
This is a buffer over-run problem in IIS. Read up on http://support.microsoft.com/kb/820129 to get the gist of what is going on.
In a nutshell, you need to add a couple dword entries to the HTTP parameters key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength=dword:0000fffe
MaxRequestBytes=dword:00800000
These numbers are probably higher than you need, but you're already going against IIS's security model by mucking with this, so who gives a shit at this point right? It's all about making things work.
So, once you deal with that. You'll probably also want to take a look at how SQL works with Kerberos authentication. You'll want to get familiar with the trusted for delegation check box in the AD properties of servers, and learn what the hell SPNs are and how to set them (SETSPN is a crappy tool, using ADSIEdit seems to work better).
Take a visit to http://support.microsoft.com/kb/319723/en-us to check out Kerberos authentication for SQL.
Check out this for more info on IIS http://support.microsoft.com/kb/324274/en-us.
Good luck in your overly complicated, pain in the ass to administer environment. If you're dealing with these issues, your organization is run by mutants. Best of luck.
Oh yeah, you probably want to take a visit to Microsoft's KB and check out the known issues with large Kerberos ticket sizes and Sharepoint. We've also had to apply the HTTP fixes to our Symantec Enterprise Vault servers since they do their previews for archived mail using HTML and IIS.
Fun stuff.
You can read about how kerberos was developed by MIT, and how it's a fine idea and so forth at wikipedia. What I'm ranting about is how Microsoft implemented it in their active directory, and why it has a bunch of undocumented problems that large (or anally secure) organizations will run into eventually.
The first problem an organization will hit upon, the tip of the God damn iceberg, is that for some reason, some users in the environment will all the sudden no longer get their home drives. Strange things will happen with DFS mappings that work for everyone else. Group policies will cease to be enforced. If you have DCs in slow connection site (especially over vpn or other small packet traffic connections), the DCs will get out of sync.
You'll probably start to see issues when users are a member of around 130 groups. Yes, this includes default groups and nested group relationships. And distribution lists. Not really that hard to get there in any complex environment.
When this happens, fire whoever designed your active directory structure. Start over. You're headed into pain-in-the-ass land. If you can't (say you have SOX audits and other bullshit to deal with), then read on.
The reason you're having issues is that Microsoft by default sends the entire fucking kerberos authentication in one UDP packet. Jesus Christ, talk about stupid. As any network engineer (or even some non-network engineers) can tell you, UDP can't be fragmented. So when your kerberos packet gets too big, it stops working. The machine you're authenticating with will only get the info that fits into the first packet. This could mean you don't get access to an application you should, etc. I found it consistent that users with large kerberos tickets wouldn't get group policy applied at all. Home drives also stopped working. DFS permissions behaved oddly. Sometimes you'd only see 1/3 of the directories you should.
All this can be fixed by doing this: http://support.microsoft.com/kb/244474/en-us.
For the lazy, all machines (servers and workstations) will need this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
MaxPacketSize=dword:00000001
MaxTokenSize=dword:0000ffff
This should be put into the group policy that applies to every machine in your environment. All domain controllers, servers, workstations, etc. It's imperitive that all these machines can pass kerberos tickets using TCP instead of UDP.
Not so bad right? Hit a brick wall with authentication, so you patch or push a reg key change to every fucking machine and reboot your whole environment. Jesus, try to do it during Microsofts monthly patch cycle or something so your management team doesn't think you're a bunch of retards or something. I can't convey to you the look of disgust I got from management when I explained this problem (Microsoft won't call it a bug). A seriously lack of forward planning from the Microsoft development team here.
But I digress.
Next, you're start to run into more issues with any application that runs in IIS. This will crop up when users get into the 350 group membership range. It's variable, since the test of the group name and SID get dumped into your kerberos ticket.
This is a buffer over-run problem in IIS. Read up on http://support.microsoft.com/kb/820129 to get the gist of what is going on.
In a nutshell, you need to add a couple dword entries to the HTTP parameters key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength=dword:0000fffe
MaxRequestBytes=dword:00800000
These numbers are probably higher than you need, but you're already going against IIS's security model by mucking with this, so who gives a shit at this point right? It's all about making things work.
So, once you deal with that. You'll probably also want to take a look at how SQL works with Kerberos authentication. You'll want to get familiar with the trusted for delegation check box in the AD properties of servers, and learn what the hell SPNs are and how to set them (SETSPN is a crappy tool, using ADSIEdit seems to work better).
Take a visit to http://support.microsoft.com/kb/319723/en-us to check out Kerberos authentication for SQL.
Check out this for more info on IIS http://support.microsoft.com/kb/324274/en-us.
Good luck in your overly complicated, pain in the ass to administer environment. If you're dealing with these issues, your organization is run by mutants. Best of luck.
Oh yeah, you probably want to take a visit to Microsoft's KB and check out the known issues with large Kerberos ticket sizes and Sharepoint. We've also had to apply the HTTP fixes to our Symantec Enterprise Vault servers since they do their previews for archived mail using HTML and IIS.
Fun stuff.
A TV ad
I just saw an ad for the Rocket Fishing Rod. A garish plastic thing. An orgasmic mix of guns and fishing to any die hard outdoorsman, to be sure. Finally, one must think, I can get the kids interested in fishing by giving them guns and letting them take shots at these fish all day.
I've never cared for fishing, or hunting for that matter. The cro-magnon carnivore will retort with "Well where do you think all that meat comes from then?" or something equally banal.
Suprise, I don't eat meat. Not that its anything about saving the animals or any of that nonsense. I don't really give a shit. Well, maybe a little. But meat makes me sick. Not worth the effort to get aclimated to it. It's complicated. But fishing and hunting just seem too God damn boring to me. Sitting on the shore, or in a boat, or a blind, waiting endlessly for some poor animal with the brain the size of a pea to come along and make you lucky.
No waiting for action in this day and age. No sir. Nothing entertaining there. I want my action fast. Instant results. Have you seen fishing shows on TV? Dear God, you know they've fast forwarded through all the bits they think are boring, and its still like watching paint dry.
Now the hunting and fishing I can respect, is that done in a very real and carnal method. Fishing? No man, not this sitting on your ass drinking beers waiting on a fish to be dumb enough to take a bite on your lure. No, my father once related a tale to me of a man who snorkeled for his fish. He'd get out in the ocean a bit on a small boat, go over the side, and look for the fish he thought he wanted. Then swim down forty or fifty feet with a spear gun, check things out, and if he wanted the fish, he'd spear it, and haul it back up and into the boat. Now that's fishing.
Hunting? My uncle used to hunt bear. Not with a rifle. Too easy. A compound bow and razor tip arrows was his method. I could respect that. No fierce overkill, like an Israeli tank going up against a Palestinian throwing rocks. No this was fair, balanced, plenty of time for that bear to come at you and maul you to death if you didn’t place a shot right.
But if I did eat meat it would only be kosher. No way I could eat that processed mystery meat that comes out of most American meat packing places. To think our beloved Congress has refused to pass laws that would require the packers to not say, sell meat that has feces in it. The American answer to this problem isn't sanitation. No no, that would be expensive, time consuming.
Instead we bombard all our meat with radiation, leave the crap in the meat, just kill the bacteria that comes along with it.
Say, whose hungry?
I've never cared for fishing, or hunting for that matter. The cro-magnon carnivore will retort with "Well where do you think all that meat comes from then?" or something equally banal.
Suprise, I don't eat meat. Not that its anything about saving the animals or any of that nonsense. I don't really give a shit. Well, maybe a little. But meat makes me sick. Not worth the effort to get aclimated to it. It's complicated. But fishing and hunting just seem too God damn boring to me. Sitting on the shore, or in a boat, or a blind, waiting endlessly for some poor animal with the brain the size of a pea to come along and make you lucky.
No waiting for action in this day and age. No sir. Nothing entertaining there. I want my action fast. Instant results. Have you seen fishing shows on TV? Dear God, you know they've fast forwarded through all the bits they think are boring, and its still like watching paint dry.
Now the hunting and fishing I can respect, is that done in a very real and carnal method. Fishing? No man, not this sitting on your ass drinking beers waiting on a fish to be dumb enough to take a bite on your lure. No, my father once related a tale to me of a man who snorkeled for his fish. He'd get out in the ocean a bit on a small boat, go over the side, and look for the fish he thought he wanted. Then swim down forty or fifty feet with a spear gun, check things out, and if he wanted the fish, he'd spear it, and haul it back up and into the boat. Now that's fishing.
Hunting? My uncle used to hunt bear. Not with a rifle. Too easy. A compound bow and razor tip arrows was his method. I could respect that. No fierce overkill, like an Israeli tank going up against a Palestinian throwing rocks. No this was fair, balanced, plenty of time for that bear to come at you and maul you to death if you didn’t place a shot right.
But if I did eat meat it would only be kosher. No way I could eat that processed mystery meat that comes out of most American meat packing places. To think our beloved Congress has refused to pass laws that would require the packers to not say, sell meat that has feces in it. The American answer to this problem isn't sanitation. No no, that would be expensive, time consuming.
Instead we bombard all our meat with radiation, leave the crap in the meat, just kill the bacteria that comes along with it.
Say, whose hungry?
Friday, June 8, 2007
A strange muse strikes
I spent over an hour battling my alarm clock this morning. The constant fatigue of five hour nights of sleep over the last few years are starting to take a strong grip on me perhaps. After forcing myself out of bed, I debated the virtues of going to work today or staying home.
Weak arguments on both sides caused me to sit staring into space for several minutes. If I stay, perhaps I can sleep in until 7:30 or so. Get some more rest. Keep these goddamn migraines away. But then the kids will wake, and like the rising of a full moon in a 50s werewolf movie, chaos would ensue. If I went to work, I was likely to fall asleep somewhere in the hour long commute. But I wouldn't burn any more of my PTO days, of which I am running low this year.
As I pondered this situation, sitting on the side of the bed, I sort of went into a daze. What does this all mean? If I stay home, would I really get any rest? Not likely. If I fell asleep on the way to work, would the accident be fatal? Probably not, with any luck I'd be knocked unconscious and hauled off in an ambulance. Maybe wake up in a few days with a concussion. But well rested nonetheless.
Hm....what to do...what to do.
Suddenly I realized I had wasted ten minutes so far and figured what the hell, off to work I go. I'm a gambler at heart. I like taking chances.
Strong urges of suicide and waves of paranoia chased me on my voyage across town. I was convinced the police or perhaps the FBI were following me. Watching my every move. Listening in on my brain waves in an unmarked van perhaps, or maybe a remote flying drone hovering overhead. Any police officer in his right mind who knew my mental state would pull me over in an instant and lock me in jail, for no reason whatsoever. The thoughts and images flashing through my head were certainly grounds enough. Where was the posse coming to lock me away, or dispense justice on the spot via a firing squad?
What had I done wrong? Why the paranoia, doubt, suicidal thoughts? I don't know really. Perhaps part of an acid flashback was in play. The stress my family exerts upon me is of no help either. My mind is something like a pressure cooker, sitting for days on a setting any sane person would never use, left forgotten to bake until the slightest tremor would cause the whole damn thing to explode, sending ceramic shards and hunks of plastic in all directions. A culinary ticking bomb with no real target. Instant mayhem in disguise.
I had a mental break down last night. It was an ugly thing. A total loss of mental discipline. I'm unsure what brought it on. It only lasted a little while, yet it was one of those time/space experiences that seems to last forever when you're in its grasp. Like the two seconds before a car wreck you see coming but can't avoid, your mind so fired on adrenaline that if you were watching close enough, you could see all the matter around you slowly decaying according to its individual half-life. The physical aspects of it were quick and precise. I'm still trying to cope with the synaptic short circuits that were left behind however. Permanent cerebral flotsam of a sort.
I'd been slowly working up to it all day. By dinner time it felt as if my spine was going to quiver out of my body. A strange sensation, as if I was picking up psychic vibrations from someone with a definitive dislike for me. But who? Could be anyone really.
After dinner, with the kids asleep, my mind was finally left to its own devices. Nothing external to nudge it along, no simple expectations to fulfill. And that’s when it hit. My mind had had enough, damnit! Fuck all this, it seemed to say. No thoughts processed through my mind for some time. A total synaptic traffic jam was in swing. All lights were green, wrecks at every intersection. The kind of total traffic fuckup that leaves city planners awake at night. I finally came to my senses some time later. My face and shirt wet with tears (or drool, one can never really tell).
I was so exhausted that I desperately wanted rest. But my mind was buzzing with this strange agitation. I couldn't think straight. What had just happened to me? Am I falling apart? Have things gotten too strange? How did this happen? These were all clearly questions that had to be addressed, but first I needed to unwind. Calmn down, relax. I took two xanax and made a large glass of vodka with some coke mixed in for color. Pounded it down, alcoholic iced-tea of a sorts.
I had had a call from a private investigator earlier that day. A confused kind of call. Someone looking for my fathers motorcycle. A Harley-Davidson, as I understand it. I had seen the bike a few times. Smallish, pretty, all chrome and polish and silver paint. I've no idea where it is. Or my father for that matter. He traveled off for parts unknown over a year ago.
The vodka and xanax were starting to mellow things out, put life into perspective. I should write it all out. Inflict this madness on the outside world. Clear the mental air, so to speak.
Weak arguments on both sides caused me to sit staring into space for several minutes. If I stay, perhaps I can sleep in until 7:30 or so. Get some more rest. Keep these goddamn migraines away. But then the kids will wake, and like the rising of a full moon in a 50s werewolf movie, chaos would ensue. If I went to work, I was likely to fall asleep somewhere in the hour long commute. But I wouldn't burn any more of my PTO days, of which I am running low this year.
As I pondered this situation, sitting on the side of the bed, I sort of went into a daze. What does this all mean? If I stay home, would I really get any rest? Not likely. If I fell asleep on the way to work, would the accident be fatal? Probably not, with any luck I'd be knocked unconscious and hauled off in an ambulance. Maybe wake up in a few days with a concussion. But well rested nonetheless.
Hm....what to do...what to do.
Suddenly I realized I had wasted ten minutes so far and figured what the hell, off to work I go. I'm a gambler at heart. I like taking chances.
Strong urges of suicide and waves of paranoia chased me on my voyage across town. I was convinced the police or perhaps the FBI were following me. Watching my every move. Listening in on my brain waves in an unmarked van perhaps, or maybe a remote flying drone hovering overhead. Any police officer in his right mind who knew my mental state would pull me over in an instant and lock me in jail, for no reason whatsoever. The thoughts and images flashing through my head were certainly grounds enough. Where was the posse coming to lock me away, or dispense justice on the spot via a firing squad?
What had I done wrong? Why the paranoia, doubt, suicidal thoughts? I don't know really. Perhaps part of an acid flashback was in play. The stress my family exerts upon me is of no help either. My mind is something like a pressure cooker, sitting for days on a setting any sane person would never use, left forgotten to bake until the slightest tremor would cause the whole damn thing to explode, sending ceramic shards and hunks of plastic in all directions. A culinary ticking bomb with no real target. Instant mayhem in disguise.
I had a mental break down last night. It was an ugly thing. A total loss of mental discipline. I'm unsure what brought it on. It only lasted a little while, yet it was one of those time/space experiences that seems to last forever when you're in its grasp. Like the two seconds before a car wreck you see coming but can't avoid, your mind so fired on adrenaline that if you were watching close enough, you could see all the matter around you slowly decaying according to its individual half-life. The physical aspects of it were quick and precise. I'm still trying to cope with the synaptic short circuits that were left behind however. Permanent cerebral flotsam of a sort.
I'd been slowly working up to it all day. By dinner time it felt as if my spine was going to quiver out of my body. A strange sensation, as if I was picking up psychic vibrations from someone with a definitive dislike for me. But who? Could be anyone really.
After dinner, with the kids asleep, my mind was finally left to its own devices. Nothing external to nudge it along, no simple expectations to fulfill. And that’s when it hit. My mind had had enough, damnit! Fuck all this, it seemed to say. No thoughts processed through my mind for some time. A total synaptic traffic jam was in swing. All lights were green, wrecks at every intersection. The kind of total traffic fuckup that leaves city planners awake at night. I finally came to my senses some time later. My face and shirt wet with tears (or drool, one can never really tell).
I was so exhausted that I desperately wanted rest. But my mind was buzzing with this strange agitation. I couldn't think straight. What had just happened to me? Am I falling apart? Have things gotten too strange? How did this happen? These were all clearly questions that had to be addressed, but first I needed to unwind. Calmn down, relax. I took two xanax and made a large glass of vodka with some coke mixed in for color. Pounded it down, alcoholic iced-tea of a sorts.
I had had a call from a private investigator earlier that day. A confused kind of call. Someone looking for my fathers motorcycle. A Harley-Davidson, as I understand it. I had seen the bike a few times. Smallish, pretty, all chrome and polish and silver paint. I've no idea where it is. Or my father for that matter. He traveled off for parts unknown over a year ago.
The vodka and xanax were starting to mellow things out, put life into perspective. I should write it all out. Inflict this madness on the outside world. Clear the mental air, so to speak.
Subscribe to:
Posts (Atom)